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(57) In a system (e.g., debit card) where a PIN is 
entered as verification, the PIN and biometric informa- 
tion, which is free of being stolen or faked, are combined 
to realize secure user verification. The leakage and the 
theft of a PIN is reliably prevented, thereby realizing a 
high security ability. To-be-verified biometric feature da- 
ta is transmitted from first transceiving interface (205) 
of data processing device (200) to portable electronic 
device (300). Biometric feature data verifying section 
(306) of portable electronic device (300) compares the 
to-be-verified biometric feature data, which has been re- 
ceived by second transceiving interface (301 ), with valid 
biometric feature data. If a predetermined matching con- 
dition between the to-be-verified biometric feature data 
and the valid biometric feature data is satisfied, a PIN 
stored in portable electronic device (300) is transmitted 
from second transceiving interface (301) to manage- 
ment device (400) via first transceiving interface (205) 
of data processing device (200). 
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Description 

Field of the Invention 

[0001] The present invention relates to a portable 
electronic device, such as an IC (integrated Circuit) 
card, having a function for verifying a user utilizing bio- 
metric information (for example, fingerprints, voice, iris 
patterns, facial patterns, retina patterns, blood vessel 
patterns, hand shapes, signatures, voice, keystrokes, 
signature dynamics, and so on). 
[0002] Electronic commerce using portable electronic 
devices, such as IC cards, promises to flourish in the 
near future, and to accompany this, tamper-resistant 
(tamperproof) IC cards are already in use. However, us- 
er verification still has a problem of poor security. A 
password (personal identification number; PIN) is re- 
quested as verification, and there is a danger of "spoof- 
ing" or "identity fraud" if the password is stolen. 
[0003] In particular, when debit cards are used at mer- 
chant locations, users are requested to directly input 
4-digit PINs through a keypad. Since such places are 
poor in security In comparison with financial institution, 
there is a high risk that PINs may be stolen at merchant 
locations and afterward used fraudulently. 
[0004] Therefore, it is expected that biometric infor- 
mation, such as fingerprints and iris patterns, will be em- 
ployed, in association with encryption and a public key 
{PKI (Public Key identification)} system, in user verifica- 
tion for IC cards and debit cards. 
[0005] Here, a debit card denotes a magnetic bank- 
card which is issued by a financial institution, and which 
can be used to shop at merchant locations. The pur- 
chase amount is deducted automatically from the card- 
holder* s bank account. 

BACKGROUND OF THE INVENTION 

[0006] Until now, electronic commerce utilizing IC 
cards and debit cards have assumed user verification 
associated with a PKI system. In most cases an IC card 
or a debit card is used, however, a user is verified with 
a password (PIN), and there is thus a danger of fraud- 
ulent use (spoofing or identity fraud) as in the case of a 
conventional bankcard. 

[0007] More precisely, users who are not accustomed 
to using a password tend to choose easy-to-remember 
strings of characters or digits as passwords or PINs; for 
example, the user's or a family member's name or birth- 
day, telephone number, favorite word, etc. Passwords 
or PINs can easily be leaked or stolen, if they are noted 
down, or if they are "shoulder surfed" -someone watch- 
es you from a nearby location as you punch in your pass- 
word through a ten-key pad — at the time debit cards 
are used at merchandise locations. 
[0008] Such Identity theft commonly occurs, which is 
evident from the frequency of cases in which money is 
easily stolen from a victim' s accounts by using a stolen 
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bankcard. This proves that user verification with a pass- 
word is insufficient in for security purposes. 
[0009] Employing passwords in user verification sim- 
plifies systems and reduces manufacturing costs, but 

s the user should be security-conscious. For example, a 
password should not be the user 1 s or a family member 1 
s name or birthday, telephone number, or favorite word. 
Taking a note of a password should of course be pro- 
hibited. Further, the user must always be cautious about 

10 the theft of a password whenever he uses that pass- 
word, because third parties can read passwords from 
the movement of a user's fingers while he is punching 
in his password. 

[0010] Further, as in the case of a password, the user 

is must be careful with an encryption key. Generally 
speaking, memorizing an encryption/decryption key is 
troublesome because its character string is exceedingly 
long. Hence, the key is normally stored in a computer 
or in a flexible disc, and it is read therefrom as neces- 

20 sary. At the time the key is read out, a password is often 
used to retain the security of the key. At that time, a 
short, easy-to-memorize character string should not be 
used because a lengthy character string is difficult to 
memorize. Such a short character string will significantly 

25 diminish the security of the key. 

[0011] The forgoing problems are found also in IC 
cards and debit cards. No matter how the tamper-resist- 
ant properties of IC cards are improved to protect the 
encryption key (secret key) stored therein from theft, ail 

30 the efforts come to nothing without the users' awareness 
of the security of passwords. 

[0012] Hence, in electronic commerce utilizing IC 
cards or debit cards, it is required to combine the PIN 
verification with biometric user verification (for example, 
35 fingerprints, voice, iris patterns, facial patterns, retina 
patterns, blood vessel patterns, hand shapes, signa- 
tures, voice, keystrokes, signature dynamics, and so 
on), in which user-independent security setting is real- 
ized. 

40 p)013] Biometric information utilizes characteristics of 
the human body that are unique to a user. It avoids the 
necessity of memorizing or writing down passwords, 
and it cannot be surmised by third parties. Further, bio- 
metric information utilizes difficult to counterfeit, and 

45 thus, even if a user is watched as he is undergoing bio- 
metric verification, it is impossible to fake the biometric 
information. Hence, biometric user verification is the op- 
timum choice in a case where user verification is of great 
importance. 

so [001 4] A debit card is a bankcard that can be used to 
shop at merchandise locations. Thus, if a password 
(PIN) for a debit card is stolen, a lot of harm will be 
caused. For this reason, in a system (for example, debit 
cards) where a PIN is requested as verification, it is 

ss strongly expected that the input of a PIN will be associ- 
ated with biometric user verification. 
[001 5] On the other hand, with recent increases in the 
storage capacity of IC cards, it is now possible to store/ 
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register from hundreds of bytes to 2 kilobytes of biomet- 
ric feature data in an IC card. A small-sized processor 
(CPU) built in an IC card allows the IC card to serve as 
a data processor. 

[001 6] Existing processors for IC cards, however, do 5 
not have the ability to execute all the processing of bio- 
metric feature data. Thus, an IC card terminal (external 
data processing device) for accessing IC cards samples 
an object user's biometric information, and it also ex- 
tracts therefrom biometric feature data (hereinafter 10 
called lo-be-verif ied biometric feature data") for use in 
user verification, and IC cards are devoted to the verifi- 
cation of the extracted biometric feature data (for exam- 
ple, see Japanese Patent Application Publication No. 
HE1 10-312459). More precisely, an IC card previously 
stores its authorized user's biometric feature data as 
valid biometric feature data. Upon receipt of to-be-veri- 
fied biometric feature data from the IC card terminal , the 
IC card compares the to-be-verified biometric feature 
data with the valid biometric feature data, and then re- 20 
turns the comparison/verification result to the IC card 
terminal. 

[0017] Applying the relationship between the IC card 
and the IC card terminal to a client-server fingerprint ver- 
ification method, the IC card terminal corresponds to a 25 
client which extracts fingerprint features, and the IC card 
corresponds to a server which verifies the fingerprint 
feature data. The foregoing verification method using an 
IC card, however, differs from the client-server finger- 
print verification method in that, in the former method, 30 
the IC card, which meets the server of the latter method, 
is carried by a user as a highly tamper-resistant portable 
electronic device. Since biometric feature data verifica- 
tion and its subsequent processing are executed on the 
IC card which is carried by a user, not on a server which 35 
is managed by a third party, the former offers an advan- 
tage of ensuring user privacy. 

[0018] However, the foregoing combination between 
biometric information and an IC card still has problems 
to be solved. The problems are that to-be-verified bio- 40 
metric feature data is sent, as it is, from the IC card ter- 
minal to the IC card, and that a verification result is sent 
out from the IC card as an OK/NG signal (071 signal). 
As a result, no matter how the IC card is superior in 
tamper-resistant properties, there still remains the pos- 45 
sibitity that the data transmitted/received between the 
IC card and the IC card terminal may be wrongfully ob- 
tained and used by third parties. In other words, the ex- 
isting combination between an IC card and biometric in- 
formation has not taken full advantage of the high 50 
tamper-resistant property of a recent IC card. 
[001 9] Accordingly, it has been expected that high se- 
curity ability will be guaranteed when to-be-verified bio- 
metric feature data is input to an IC card, and also when 
a verification result obtained within an IC card is sent ss 
out to an external apparatus. 
[0020] With the foregoing problems in view, one ob- 
ject of the present invention is to realize secure user ver- 
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if ication. The present invention is applied to a system 
(for example, debit cards) where the input of a PIN is 
requested as verification, making It possible to use PIN 
verification in association with biometric feature data, 
which is free of having been stolen or faked. The leak- 
age and theft of the PIN are thus reliably prevented, so 
that a high level of security can be guaranteed. 
[0021 ] Another object of the invention is to guarantee 
high security ability when to-be-verified biometric fea- 
ture data is input to portable electronic device, such as 
an IC card, and also when a verification result obtained 
within an IC card is sent out to an external apparatus, 
so that secure user verification is realized. 

DISCLOSURE OF THE INVENTION 

[0022] 

(1-1) In order to accomplish the above object, ac- 
cording to the present invention, there is provided 
a user verification system, comprising: a portable 
electronic device, which is adapted to be carried by 
a user; a data processing device for directly access- 
ing such portable electronic device which is tempo- 
rarily installed therein; and a management device 
which accesses the portable electronic device via 
the data processing device and verifies the user uti- 
lizing a personal identification number (PIN). 

The data processing device includes: a biomet- 
ric information measuring unit for measuring bio- 
metric information of the user; a biometric feature 
data extracting section for extracting to-be-verified 
biometric feature data from the biometric informa- 
tion, which has been measured by biometric infor- 
mation measuring unit; and a first transceiving in- 
terface for transmitting/receiving data to/from the 
portable electronic device and the management de- 
vice. 

The portable electronic device includes: a bio- 
metric feature data register section having p re- 
stored valid biometric feature data of an authorized 
user of the portable electronic device; a second 
transceiving interface for transmitting/receiving da- 
ta to/from the data processing device; a biometric 
feature data verifying section for comparing to-be- 
verified biometric feature data, which is received 
from an external device via the second transceiving 
interface, with the valid biometric feature data; and 
a PIN register section having a pre-stored PIN of 
the authorized user of the portable electronic de- 
vice. 

The to-be-verified biometric feature data is 
transmitted from the first transceiving interface of 
the data processing device to the portable electron- 
ic device, and the biometric feature data verifying 
section of the portable electronic device compares 
the to-be-verified biometric feature data, which has 
been received via the second transceiving inter- 
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face, with the valid biometric feature data. As the 
result of the comparison, if the to-be-verified bio- 
metric feature data matches the valid biometric fea- 
ture data in terms of a predetermined matching con- 
dition, the PIN is transmitted from the second trans- s 
ceiving interface of the portable electronic device to 
the management device via the first transceiving in- 
terface of the data processing device. 
(1 -2) The data processing device further includes a 
first encryption section for encoding the to-be-veri- '0 
fied biometric feature data with a public key, and the 
portable electronic device further includes: a secret 
key register section having a pre-stored valid secret 
key corresponding to the public key; and a decryp- 
tion section for decoding encoded data, which is re- 
ceived from an external device via the second trans- 
ceiving interface, with the valid secret key. The to- 
be-verified biometric feature data encoded by the 
first encryption section is transmitted from the first 
transcerving interface to the portable electronic de- 20 
vice, as the aforementioned encoded data, and the 
decryption section decodes the encoded data, 
which has been received via the second transcerv- 
ing interface, into the original to-be-verified biomet- 
ric feature data, which is then compared with the 25 
valid biometric feature data by the biometric feature 
data verifying section. 

(1-3) The portable electronic device further in- 
cludes: a made-for-management-device public key 
register section having a pre-stored public key ded- 30 
icated to the management device; and a second en- 
cryption section for encoding the PIN with the 
made-for-management-device public key before 
the PIN is sent out to the management device. 
(1-4) The portable electronic device further includes 35 
a recording unit provided on its surface, which re- 
cording unit stores magnetic data of information for 
use in processing carried out by the management 
device. The data processing device further includes 
a magnetic data read-out unit for reading out the 40 
magnetic data stored in the recording unit, and the 
magnetic data, which has been readout by the mag- 
netic data read-out unit, is sent out, together with 
the PIN, from the first transcerving interface to the 
management device. 45 
(1 -5) The data processing device further includes a 
time stamp generating section for generating a time 
stamp as the date and time when the biometric fea- 
ture data extracting section has extracted the to-be- 
verified biometric feature data. The time stamp is 50 
encoded, together with the to-be-verified biometric 
feature data, by the first encryption section, and the 
encoded time stamp is then sent out from the first 
transcerving interface to the portable electronic de- 
vice. The portable electronic device further in- ss 
eludes: a clock function section for calculating the 
current time; and a time stamp verifying section for 
comparing the original time stamp, which has been 



restored by the decryption section, with the current 
time, which has been calculated by the clock func- 
tion section, if it is found, as the comparison result 
by the biometric feature data verifying section, that 
the to-be-verified biometric feature data matches 
the valid biometric feature data in terms of a prede- 
termined matching condition, and also if it is found, 
as the comparison result by the time stamp verifying 
section, that a difference between the time stamp 
and the current time falls within a predetermined 
range, the user is identified as the authorized user 
of the portable electronic device. 
(1 -6) If the user is identified as the authorized user 
of the portable electronic device, as the comparison 
result by the biometric feature data verifying section 
and the time stamp verifying section, the second en- 
cryption section encodes both the PIN and the date 
and time the comparison was performed, which 
date and time is obtained by the clock function sec- 
tion, and the encoded PIN and the encoded date 
and time of the comparison are then sent out from 
the second transceiving interface of the portable 
electronic device to an external apparatus. 
(1 -7) Upon receipt of a predetermined signal via the 
second transceiving interface, the portable elec- 
tronic device transmits public key information of the 
authorized user, which public key information is reg- 
istered in the portable electronic device, from the 
second transceiving interface to an external device. 
(1 -8) The user verification system further comprises 
a lock function section which is operable to prohibit 
input of biometric feature information to the portable 
electronic device, if the evaluation is made a prede- 
termined number of times successively, as a result 
of the comparison by the feature data verifying sec- 
tion of the portable electronic device, that the to-be- 
verified biometric feature data never matches the 
valid biometric feature data in terms of the prede- 
termined matching condition. 
(1 -9) The portable electronic device further includes 
a management log recording section storing a man- 
agement log of the PIN, which management log ac- 
cumulates the dates and times when the PIN has 
been transmitted, or the descriptions of transac- 
tions performed, or both of these. 

[0023] In the user verification system of the above 
item (1-1), the biometric information measuring unit 
measures biometric information of an object user to be 
verified, and the biometric feature data extracting sec- 
tion extracts to-be-verified biometric feature data from 
the biometric information. These processes are per- 
formed in the data processing device, and the thus ob- 
tained to-be-verified biometric feature data is then trans- 
mitted from the first transceiving interface to the portable 
electronic device. In the portable electronic device, upon 
receipt of the to-be-verified biometric feature data via 
the second transceiving interface, biometric feature da- 
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ta verifying section compares/verifies the to-be-verified 
biometric feature data with valid biometric feature data. 
As the result of the comparison, if the to-be-verified bi- 
ometric feature data satisfies a predetermined matching 
condition with the valid biometric feature data, a PIN is 
transmitted to the management device. 
[0024] As aforementioned, according to the user ver- 
ification system of the item (1 -1 ), after a predetermined 
matching between the to-be-verified biometric feature 
data and the valid biometric feature data is confirmed, 
the PIN stored in the portable electronic device is trans- 
mitted to the management device. Thus, it is no longer 
necessary to directly input a PIN to the data processing 
device with a ten-key pad, and the PIN only passes 
through the data processing device, so that the risk of 
a PIN being stolen at its input can be minimized. Accord- 
ingly, with the present invention applied to a system (for 
example, debit cards) where a PIN is requested to be 
input as verification, ft is possible to associate PIN ver- 
ification with biometric user verification using biometric 
feature data, which is free of being stolen or faked. The 
leakage and the theft of PINs are thus prevented with 
reliability, so that a high level of security can be guaran- 
teed, thereby realizing secure user verification. 
[0025] According to the user verification system of the 
foregoing item (1-2), the first encryption section of the 
data processing device encodes the to-be-verified bio- 
metric feature data using a public key, and the encoded 
data is transmitted to the portable electronic device. Up- 
on receipt of the encoded data, the decryption section 
of the portable electronic device decodes the data with 
a valid secret key to restore the original to-be-verified 
biometric feature data, and the biometric feature data 
verifying section performs comparison/verification. That 
is, the to-be-verified biometric feature data is encoded 
by a public key system before it is sent out from the data 
processing device to the portable device, and all the da- 
ta that was entered in the portable electronic device for 
user verification is decoded in the portable electronic de- 
vice. It is thus possible to prevent the inputting of any 
tampered to-be-verified biometric feature data, making 
it difficult for wicked persons to commit spoofing or iden- 
tity fraud, so that a high level of security is guaranteed. 
Further, even if the to-be-verified biometric feature data 
should be intercepted using a false portable electronic 
device (a false IC card, or the like), it is still difficult to 
wrongfully use such stolen biometric feature data in an- 
other system because the stolen biometric feature data 
is encoded data. Accordingly, a high level of security is 
guaranteed, and user verification can be performed with 
secure. 

[0026] According to the user verification system of the 
foregoing item (1-3), all the data transmitted from the 
portable device to an external apparatus is encoded in 
the portable electronic device. More precisely, the sec- 
ond encryption section encodes a PIN using a public key 
for the management device before the PIN is transmit- 
ted from the portable electronic device to the manage- 



ment device. Accordingly, even If a PIN should be inter- 
cepted during its transmission from the portable device 
to an external apparatus, it is still difficult to falsely use 
the stolen PIN in another system because the thus 

s wrongfully obtained PIN has been encoded, so that a 
higher level of security is guaranteed. 
[0027] According to the user verification system of the 
foregoing item (1-4), the magnetic data read-out unit 
reads out the Information stored in the recording unit 

10 provided on the surface of the portable electronic de- 
vice, and the read-out information is transmitted to the 
management device along with a PIN. Accordingly, the 
user verification system of the forgoing item (1 -4) is ap- 
plicable in a case where a type of IC card having a func- 

15 tion (magnetic stripes) of an existing magnetic card 
serves as a portable electronic device. 
[0028] According to the user verification system of the 
foregoing item (1 -5), in the data processing device, a 
time stamp is generated as the date and time the to-be- 

20 verified biometric feature data was extracted, and the 
generated time stamp is attached to the to-be-verified 
biometric feature data, and is then transmitted to the 
portable electronic device. In the portable electronic de- 
vice, the user is authenticated if a predetermined match- 
es jng condition is satisfied between the to-be-verified bio- 
metric feature data and valid biometric feature data, and 
also if the difference between the time stamp (the ex- 
traction date-and-time) and the current time falls within 
a predetermined range. Accordingly, even if to-be-veri- 

30 tied biometric feature data should be intercepted during 
its transmission from the date processing device to the 
portable electronic device, and even if the stolen feature 
data should be falsely used in a replay attack against 
the portable device, the difference between the time 

35 stamp (the extraction date-and-time) and the current 
time becomes significant. On the basis of such signifi- 
cant difference, it is possible to reject access attempts 
using such stolen to-be-verified biometric feature data, 
so that the security level of the system is significantly 

40 improved. 

[0029] According to the user verification system of the 
forgoing item (1-6), in the portable electronic device, if 
an object user is identified as the owner of the portable 
device, the PIN, together with the verification date-and- 

45 time (time stamp) obtained by the clock function section, 
is encoded by the second encryption section, and is then 
sent out to the management device. Thus, even if the 
PIN should be intercepted during its transmission from 
the portable device to the management device and then 

so be wrongfully used, the management device, which 
monitors the verification date-and-time attached to the 
PIN, can recognize that a wrongfully obtained PIN is 
used, based on the difference between the verification 
date-and-time (time stamp) and the current time. Ac- 

55 cordingly, it is possible to reject access attempts using 
such a stolen PIN, so that the security level of the system 
is significantly improved. 

[0030] According to the user verification system of the 
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forgoing item (1 -7), when the portable electronic device 
receives a predetermined signal via the second trans- 
ceiving interface, the authorized user's public key infor- 
mation stored in the portable electronic device is sent 
out to an external apparatus. It is thus possible for the 5 
data processing device to use the public key stored in 
the portable electronic device, without the necessity for 
the data processing device itself to hold a pre-stored 
public key. 

[0031 ] According to the user verification system of the 10 
forgoing item (1 -8), if the biometric feature data verifying 
section obtains the comparison result a predetermined 
times consecutively that the matching requirements be- 
tween the to-be-verified biometric feature data and the 
valid biometric feature data are not satisfied, the lock *5 
function section locks the portable electronic device to 
prohibit the inputting of biometric feature data to the 
portable electronic device, thereby preventing unau- 
thorized accessing with reliability. 

[0032] According to the user verification system of the 20 
forgoing Item (1-9), the management log recording sec- 
tion stores the date and time the PIN was sent out, or 
the content of the transaction performed, or the both of 
these. It is thus possible for the authorized user of the 
portable electronic device to keep a management log 25 
for himself, separate from the one made for the system. 
Such a user's log will serve as a safeguard against a 
low-reliability system. 

(2-1 ) A portable electronic device of the present in- 30 
vention receives/transmits data from/to a manage- 
ment device that uses a personal identification 
number (PIN) to verify a user. The portable electron- 
ic device comprises: a biometric feature data regis- 
ter section having pre-stored valid biometric feature 35 
data of an authorized user of the portable electronic 
device; a transceiving interface for transmitting/re- 
ceiving data to/from an external device; a biometric 
feature data verifying section for comparing to-be- 
verified biometric feature data, which is received 40 
from an external device via the transceiving inter- 
face, with the valid biometric feature data; and a PIN 
register section having a pre-stored PIN of the au- 
thorized user of the portable electronic device. The 
biometric feature data verifying section compares 45 
the to-be-verified biometric feature data, which has 
been received via the transceiving interface, with 
the valid biometric feature data. As the result of the 
comparison, if the to-be-verified biometric feature 
data matches the valid biometric feature data in so 
terms of a predetermined matching condition, the 
PIN is transmitted from the transceiving interface to 
the management device. 

(2-2) The portable electronic device further com- 
prises: a secret key register section having a pre- ss 
stored valid secret key corresponding to the public 
key; and a decryption section for decoding encoded 
data, which is received from an external device via 



the second transceiving interface, with the valid se- 
cret key. The decryption section decodes the en- 
coded data, which has been received via the trans- 
ceiving interface, into the original to-be-verified bi- 
ometric feature data, and the biometric feature data 
verifying section compares the original to-be-veri- 
fied biometric feature data, which has been restored 
by the decryption section, with valid biometric fea- 
ture data. 

(2-3) The portable electronic device further com- 
prises: a made-for-management-devtce public key 
register section having a pre-stored public key ded- 
icated to the management device; and an encryp- 
tion section for encoding the PIN with the made-for- 
management-device public key before the PIN is 
sent out to the management device. 
(2-4) The portable electronic device further com- 
prises a recording unit provided on its surface, 
which recording unit stores magnetic data of infor- 
mation for use in processing which is carried out by 
the management device. 

(2-5) The portable electronic device further com- 
prises: a clock function section for calculating the 
current time; and a time stamp verifying section for 
comparing a time stamp, If any, attached to the orig- 
inal to-be-verified biometric feature data restored by 
the decryption section, with the current time, which 
has been calculated by the clock function section. 
The time stamp indicates the date and time when 
the to-be-verified biometric feature data was ex- 
tracted. If it is found, as the comparison result by 
the biometric feature data verifying section, that the 
to-be-verified biometric feature data matches the 
valid biometric feature data in terms of a predeter- 
mined matching condition, and also if it is found, as 
the comparison result by the time stamp verifying 
section, that a difference between the time stamp 
and the current time falls within a predetermined 
range, the user is identified as the authorized user 
of the portable electronic device. 
(2-6) If the user is identified as the authorized user 
of the portable electronic device, as the comparison 
result by the biometric feature data verifying section 
and the time stamp verifying section, the encryption 
section encodes both the PIN and the date and time 
the comparison was performed, which date and 
time is obtained by the clock function section, and 
the encoded PIN and the encoded comparison 
date-and-time are then sent out from the transceiv- 
ing interface to an external apparatus. 
(2-7) Upon receipt of a predetermined signal via the 
transceiving interface, the portable electronic de- 
vice transmits the authorized user's public key in- 
formation, which is registered in the portable elec- 
tronic device, from the transceiving interface to an 
external device. 

(2-8) The portable electronic device further com- 
prises a lock function section which is operable to 
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prohibit the input of biometric feature information to 
the portable electronic device, if the evaluation is 
made a predetermined number of times succes- 
sively, as a result of the comparison by the feature 
data verifying section, that the to-be-verified bio- 
metric feature data never matches the valid biomet- 
ric feature data in terms of the predetermined 
matching condition. 

(2-9) The portable electronic device further com- 
prises a management log recording section storing 
a management log of the PIN, which management 
log accumulates the dates and times when the PIN 
was transmitted, or the descriptions of transactions 
performed, or both of these. 

[0033] According to the portable electronic device of 
the foregoing item (2-1) with a user verification function 
utilizing biometric information, upon receipt of the to-be- 
verified biometric feature data via the transceiving inter- 
face, biometric feature data verifying section compares/ 
verifies the to-be-verified biometric feature data with val- 
id biometric feature data. As the result of the compari- 
son, if predetermined matching requirements between 
the to-be-verified biometric feature data and the valid 
biometric feature data are satisfied, a PIN is transmitted 
to the management device. 

[0034] I n this manner, according to the portable elec- 
tronic device of the item (2-1), after a predetermined 
matching between the to-be-verified biometric feature 
data and the valid biometric feature data is confirmed, 
the PIN stored in the portable electronic device is trans- 
mitted to the management device. Thus, it is no longer 
necessary to directly input the PIN with a ten-key pad, 
so that the risk of a PIN being stolen at its input can be 
minimized. Accordingly, with the present invention ap- 
plied to a system (for example, debit cards) where input 
of a PIN is requested as verification, it is possible to as- 
sociate PIN verification with biometric user verification 
using biometric feature data, which is free of being sto- 
len or faked. The leakage and the theft of the PIN are 
thus prevented with reliability, so that a high level of se- 
curity can be guaranteed, thereby realizing secure user 
verification. 

[0035] According to the portable electronic device of 
the foregoing item (2-2), after the decryption section re- 
stores the original to-be-verified biometric feature data 
using a valid secret key, the biometric feature data ver- 
ification section carries out a comparison/verification 
operation. In other words, the to-be-verified biometric 
feature data is encoded by a public key system, and is 
then input to the portable electronic device. All the data 
that was input to the portable device at the user verifi- 
cation performed, is decoded in the portable electronic 
device. It is thus possible to prevent any counterfeit to- 
be-verified biometric feature data from being entered, 
making it difficult for wicked persons to commit spoofing 
or identity fraud, so that a high level of security is guar- 
anteed. Further, even if the to-be-verified biometric fea- 



ture data should be intercepted using a false portable 
electronic device (a false IC card, or the like) , it is still 
difficult to wrongfully use such stolen biometric feature 
data in another system because the stolen biometric 
s feature data is encoded data. Accordingly, a high level 
of security is guaranteed, and user verification can be 
performed with secure. 

[0036] According to the portable electronic device of 
the item (2-3), all the data transmitted from the portable 

'0 device to an external apparatus is encoded in the port- 
able electronic device. More precisely, the encryption 
section encodes a PIN using a public key for the man- 
agement device before the PIN is transmitted from the 
portable electronic device to the management device. 

is Accordingly, even if a PIN should be intercepted during 
its transmission from the portable device to an external 
apparatus, it is still difficult to falsely use the stolen PIN 
in another system because the thus wrongfully obtained 
PIN has been encoded, so that a higher level of security 

20 is guaranteed. 

[0037] According to the portable electronic device of 
the foregoing item (2-4), there is provided on the surface 
of the portable electronic device a recording unit storing 
magnetic data of the information which is for use in the 

25 processing made on the management device. Accord- 
ingly, the portable electronic device of the forgoing item 
(1 -4) is applicable in a case where an IC card equipped 
with a function (magnetic stripes) of an existing magnet- 
ic card serves as a portable electronic device. 

30 [0038] According to the portable electronic device of 
the foregoing item (2-5), as a result of the comparison 
by biometric feature data verification section, if the to- 
be-verified biometric feature data satisfies a predeter- 
mined matching condition with the valid biometric fea- 

35 ture data, and also if the difference between the time 
stamp (the extraction date-and-time) and the current 
time falls within a predetermined range, the object per- 
son is judged to be the authorized user of the portable 
electronic device. Accordingly, even if the to-be-verified 

40 biometric feature data should be intercepted during its 
transmission to the portable electronic device, and even 
if the stolen feature data should be falsely used in a re- 
play attack against the portable device, the difference 
between the time stamp (the extraction date-and-time) 

45 and the current time becomes significant. On the basis 
of such significant difference, it is possible to reject ac- 
cess attempts using such stolen to-be-verified biometric 
feature data, so that the security level of the system is 
significantly improved. 

so [0039] According to the portable electronic device of 
the foregoing item (2-6), after the object user is judged 
to be the authorized user of the portable electronic de- 
vice, the PIN, together with the verification date-and- 
time (time stamp) obtained by the clock function section, 

55 is encoded by the encryption section, and is then trans- 
mitted to the management device. Thus, even if the PIN 
should be intercepted during its transmission from the 
portable device to the management device and then be 
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wrongfully used, the management device, which moni- 
tors the verification date-and-time attached to the PIN, 
can recognize the use of the wrongfully obtained PIN, 
based on the difference between the verification date- 
and-time (time stamp) and the current time. Accordingly, £ 
it is possible to reject access attempts using such a sto- 
len PIN, so that the security level of the system is sig- 
nificantly improved. 

[0040] According to the user verification system ofthe 
forgoing item (2-7), when the portable electronic device 10 
receives a predetermined signal, the authorized user's 
valid public key information stored in the portable elec- 
tronic device is sent out to an external apparatus. It is 
thus possible for the external apparatus to use the public 
key stored in the portable electronic device, without the 
necessity for the external apparatus itself to hold a pre- 
stored public key. 

[0041] According to the user verification system ofthe 
forgoing item (2-8), if the biometric feature data verifying 
section obtains the comparison result a predetermined 20 
times consecutively that the matching condition be- 
tween the to-be-verified biometric feature data and the 
valid biometric feature data is not satisfied, the lock func- 
tion section locks the portable electronic device to pro- 
hibit the biometric feature data from being input to the 25 
portable electronic device, thereby preventing unau- 
thorized accessing with reliability. 
[0042] According to the user verification system of the 
forgoing item (2-9), the management log recording sec- 
tion has the date and time the PIN was sent out, or the 30 
content of the transaction performed, or the both of 
these, it is thus possible for the authorized user of the 
portable electronic device to keep a management log 
for himself, separate from the one that is made for the 
system. The user's log wil I serve as a safeguard against 35 
a low-reliability system. 

(3-1) A user verification system of the present in- 
vention comprises: a portable electronic device, 
which is adapted to be carried by a user; and a data AO 
processing device for directly accessing such a 
portable electronic device which is temporarily in- 
stalled therein. 

The data processing device includes: a biomet- 
ric information measuring unit for measuring bio- 45 
metric information of the user; a biometric feature 
data extracting section for extracting to-be-verified 
biometric feature data from the biometric informa- 
tion, which has been measured by biometric infor- 
mation measuring unit; a first encryption section for so 
encoding the to-be-verified biometric feature data 
with a public key; and a first transceiving interface 
for transmitting/receiving data to/from the portable 
electronic device. 

The portable electronic device includes: a bio- 55 
metric feature data register section having pre- 
stored valid biometric feature data of an authorized 
user of the portable electronic device; a second 



transceiving interface for transmitting/receiving da- 
ta to/from the data processing device; a biometric 
feature data verifying section for comparing to-be- 
verified biometric feature data, which is received 
from an external device via the second transceiving 
interface, with the valid biometric feature data; a se- 
cret key register section having a pre-stored valid 
secret key corresponding to the public key; and a 
decryption section for decoding encoded data, 
which has been encoded with the public key, with 
the valid secret key. 

The encoded to-be-verified biometric feature 
data, which has been encoded by the first encryp- 
tion section , is transmitted from the first transceiving 
interface to the portable electronic device, and the 
decryption section decodes the encoded data, 
which has been received via the second transceiv- 
ing interface, into the original to-be-verified biomet- 
ric feature data, and the biometric feature data ver- 
ifying section compares the original to-be-verified 
biometric feature data with the valid biometric fea- 
ture data. 

(3-2) The data processing device further includes a 
time stamp generating section for generating a time 
stamp as the date and time when the biometric fea- 
ture data extracting section extracted the to-be-ver- 
ified biometric feature data, and the time stamp is 
encoded, together with the to-be-verified biometric 
feature data, by the first encryption section, and the 
encoded time stamp is then sent out from the first 
transceiving interface to the portable electronic de- 
vice. 

The portable electronic device further includes: 
a clock function section for calculating the current 
time; and a time stamp verifying section for compar- 
ing the original time stamp, which has been restored 
by the decryption section, with the current time, 
which has been calculated by the clock function 
section. If it is found, as the comparison result by 
the biometric feature data verifying section, that the 
to-be-verified biometric feature data matches the 
valid biometric feature data in terms of a predeter- 
mined matching condition, and also if ft is found, as 
the comparison result by the time stamp verifying 
section, that a difference between the time stamp 
and the current time falls within a predetermined 
range, the user is identified as the authorized user 
of the portable electronic device. 
(3-3) The portable electronic device further in- 
cludes: a user information register section having 
pre-stored user information about the authorized 
user of the portable electronic device; and a second 
encryption section for encoding data, which is to be 
transmitted from the second transceiving interface 
to the data processing device, with the valid secret 
key. As a result of comparison by the biometric fea- 
ture data verifying section and the time stamp ver- 
ifying section, if the user is identified as the author- 
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ized user of the portable electronic device, the sec- 
ond encryption section encodes at least one of the 
following items: the user information; the level of 
correlation between the to-be-verified biometric 
feature data and the valid biometric feature data, 
which correlation level is obtained at the compari- 
son; and the date and time of the comparison per- 
formed, which is provided by the clock function sec- 
tion, and the encoded item is sent out from the sec- 
ond transceiving interface to the data processing 
device as a verification result. 
(3-4) The data processing section further includes 
a message digest creating section for creating a 
message digest as a value obtained by inputting da- 
ta to be transferred to the portable electronic device 
to a predetermined one-way function. The message 
digest and the to-be-verified biometric feature data 
are both encoded by the first encryption section, 
and are then sent out from the first transceiving in- 
terface to the portable electronic device. If the user 
is identified as the authorized user of the portable 
electronic device, as the comparison result by the 
biometric feature data verifying section and the time 
stamp verifying section, the second encryption sec- 
tion encodes the message digest which has been 
restored by the decryption section, and the encoded 
message digest is sent out from the second trans- 
ceiving interface to the data processing device, as 
a verification result. 

(3-5) The portable electronic device further includes 
a verification log recording section storing the veri- 
fication result as a verification log for a predeter- 
mined time period. 

(3-6) Upon receipt of a predetermined signal via the 
second transceiving interface, the portable elec- 
tronic device transmits public key information of the 
authorized user, which public key information is reg- 
istered in the portable electronic device, from the 
second transceiving interface to an external device. 
(3-7) The user verification system further comprises 
a lock function section which is operable to prohibit 
input of biometric feature information to the portable 
electronic device, if the evaluation is made a prede- 
termined number of times successively, as a result 
of the comparison by the feature data verifying sec- 
tion of the portable electronic device, that the to-be- 
verified biometric feature data never matches the 
valid biometric feature data in terms of the prede- 
termined matching condition. 

[0043] Accordi ng to the user verification system of the 
foregoing item (3-1), in the data processing device, the 
biometric information measuring unit measures biomet- 
ric information of an object user to be verified, and the 
biometric feature data extracting section extracts to-be- 
verified biometric feature data from the biometric infor- 
mation. The thus extracted to-be-verified biometric fea- 
ture data is encoded by the first encryption section using 
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a public key, and is then transmitted from the first trans- 
ceiving interface to the portable electronic device. In the 
portable electronic device, upon receipt of the encoded 
data via the second transceiving interface, the decryp- 

s tion section restores the original to-be-verified biometric 
feature data, and then, the biometric feature data veri- 
fying section compares/verifies the to-be-verified bio- 
metric feature data with valid biometric feature data. 
[0044] In this manner, according to the user verifica- 

10 tion system of the foregoing item (3-1 ), the to-be-verified 
biometric feature data is encoded using a public key be- 
fore being transmitted from the data processing device 
to the portable electronic device. Thus, even if the to- 
be-verified biometric feature data should be intercepted 

is using a false portable electronic device (a false IC card, 
or the like), it is still difficult to falsely use such encoded 
biometric feature data in another system. Thus, a high 
level of security is guaranteed, and user verification can 
be earned out with secure. 

20 [0045] According to the user verification system of th e 
foregoing item (3-2), in the data processing device, a 
time stamp is generated as the date and time the to-be- 
verified biometric feature data was extracted, and the 
generated time stamp is attached to the to-be-verified 

25 biometric feature data, and is then transmitted to the 
portable electronic device. In the portable electronic de- 
vice, the user is authenticated if a predetermined match- 
ing condition is satisfied between the to-be-verified bio- 
metric feature data and the valid biometric feature data, 

30 and also if the difference between the time stamp (the 
extraction date-and-time) and the current time falls with- 
in a predetermined range. Accordingly, even if to-be- 
verified biometric feature data should be intercepted 
during its transmission from the data processing device 

35 to the portable electronic device, and even if the stolen 
feature data should be falsely used in a replay attack 
against the portable device, the difference between the 
time stamp (the extraction date-and-time) and the cur- 
rent time becomes significant On the basis of such sig- 

40 nificant difference, it is possible to reject access at- 
tempts using such stolen to-be-verified biometric fea- 
ture data, so that the security level of the system is sig- 
nificantly improved. 

[0046] According to the user verification system of the 
45 foregoing item (3-3), in the portable electronic device, if 
the object person is judged to be the authorized user of 
the portable device, the second encryption section en- 
codes at least one of the following items using a secret 
key: user information (e.g., account number); the level 
so of correlation between the to-be-verified biometric fea- 
ture data and the valid biometric feature data; and the 
verification date-and-time (time stamp). The encoded 
item is then sent out to the data processing device as a 
verification result. That is, since the information about 
55 the verification result is encoded using a secret key, the 
issuer of the verification result can be certified. At that 
time, since the verification date-and-time (time stamp) 
is inserted into the verification result, it is possible to pre- 
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vent the verification result of the biomethc feature data 
from being tempered or falsified. Hence, even when the 
result of the verification of the biometric feature data, 
obtained within the portable electronic device, is sent 
out to an external apparatus, a high level of security can 
still be guaranteed, thus realizing secure user verifica- 
tion: At that time, since the level of correlation between 
the to-be-verified biometric feature data and the valid 
biometric feature data is provided as a verification result, 
it is possible to manage the record of with what degree 
of certainty the user is verified. 
[0047] Accordi ng to the user verification system of the 
foregoing item (3-4), in the data processing device, a 
message digest about data which is transferred to the 
portable electronic device is created. The message di- 
gest and the to-be-verified biometric feature data are 
both encoded by the first encryption section, and are 
then sent out from the first transceiving interface to the 
portable electronic device. On the portable electronic 
device, if the user is identified as the authorized user of 
the portable electronic device, the message digest (e. 
g., an electronic bill), which has been restored by the 
decryption section, is encoded once again by the sec- 
ond encryption section with a secret key, and is sent to 
the data processing device as a verification result. Re- 
sulting from this, similar effects and benefits to those al- 
ready described in the user verification system of the 
foregoing item (3-3) are guaranteed. Additionally, since 
a message digest is output as a verification result, it is 
possible to manage a record of which transaction the 
verification was made for. 

[0048] According to the user verif ication system of the 
foregoing item (3-5), the verification log recording sec- 
tion of the portable electronic device stores the verifica- 
tion result, as a verification log, for a predetermined time 
period. That is, a record of user verification is stored in 
the portable electronic device. 
[0049] According to the user verification system of the 
foregoing item (3-6), upon receipt of a predetermined 
signal via the second transceiving interface, the portable 
electronic device transmits the authorized user's public 
key information, registered in the portable electronic de- 
vice, to an external device. It is thus possible for the data 
processing device to use the public key stored in the 
portable electronic device, without the necessity for the 
data processing device itself to hold a pre-stored public 
key. 

[0050] Accordi ng to the user verification system of the 
foregoing item (3-7), as a result of the comparison by 
the feature data verifying section of the portable elec- 
tronic device, if the evaluation is made a predetermined 
number of times successively, that the predetermined 
matching condition between the to-be-verified biometric 
feature data and the valid biometric feature data is not 
satisfied, a lock function section prohibits the inputting 
of biometric feature information to the portable electron- 
ic device, so that any false access attempts can be re- 
liably rejected. 



(4-1 ) A portable electronic device of the present in- 
vention has a user verification function utilizing bi- 
ometric information. The portable electronic device 
comprises: a biometric feature data register section 

5 having pre-stored valid biometric f eatu re data of an 
authorized user of the portable electronic device; a 
transceiving interface for transmitting/receiving da- 
ta to/from an external device; a biometric feature 
data verifying section for comparing to-be-verified 

10 biometric feature data, which is received from an 
external device via the transceiving interface, with 
the valid biometric feature data; a secret key regis- 
ter section having a pre-stored valid secret key cor- 
responding to the public key; and a decryption sec- 

15 tion for decoding encoded data, which has been en- 
coded with the public key, with the valid secret key. 
The decryption section decodes the encoded data, 
which has been received via the transceiving inter- 
face, into the original to-be-verified biometric fea- 

20 ture data, and the biometric feature data verifying 
section compares the original to-be-verified biomet- 
ric feature data with the valid biometric feature data. 
(4-2) The portable electronic device further com- 
prises: a clock function section for calculating the 

25 current time; and a time stamp verifying section for 
comparing a time stamp, if any, attached to the orig- 
inal to-be-verified biometric feature data restored by 
the decryption section, with the current time, which 
has been calculated by the clock function section. 

30 The time stamp indicates the date and time when 
the to-be-verified biometric feature data has been 
extracted. If it is found, as the comparison result by 
the biometric feature data verifying section, that the 
to-be-verified biometric feature data matches the 

35 valid biometric feature data in terms of a predeter- 
mined matching condition, and also if it is found, as 
the comparison result by the time stamp verifying 
section, that a difference between the time stamp 
and the current time falls within a predetermined 

40 range, the user is identified as the authorized user 
of the portable electronic device. 
(4-3) The portable electronic device further com- 
prises: a user information register section having 
pre-stored user information about the authorized 

45 user of the portable electronic device; and an en- 
cryption section for encoding data, which is to be 
transmitted from the transceiving interface to the 
data processing device, with the valid secret key. 
As a result of comparison by the biometric feature 

so data verifying section and the time stamp verifying 
section, if the user is identified as the authorized us- 
er of the portable electronic device, the encryption 
section encodes at least one of the following items: 
the user information; the level of correlation be- 

55 tween the to-be-verified biometric f eatu re data and 
the valid biometric feature data, which correlation 
level is obtained at the comparison; and the date 
and time of the comparison performed, which is pro- 
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vided by the clock function section, the encoded 
item is sent out from the transceiving interface to 
the data processing device as a verification result. 
(4-4) If the user is identified as the authorized user 
of the portable electronic device, as the comparison 5 
result by the biometric feature data verifying section 
and the time stamp verifying section, and also if a 
message digest, which is obtained by inputting data 
to be transferred to the portable electronic device 
to a predetermined one-way function , is attached to io 
the original to-be-verified biometric feature data re- 
stored by the decryption section, the encoding sec- 
tion encodes the message digest, and the encoded 
message digest is then sent out from the transceiv- 
ing interface to the data processing device as a ver- 15 
ification result. 

(4-5) The portable electronic device further includes 
a verification log recording section storing the afore- 
mentioned verification results as a verification log 
for a predetermined time period. 20 
(4-6) Upon receipt of a predetermined signal via the 
transceiving interface, the portable electronic de- 
vice transmits public key information of the author- 
ized user, which public key information is registered 
in the portable electronic device, from the transcerv- 25 
ing interface to an external apparatus. 
(4-7) The portable electronic device further com- 
prises a lock function section which is operable to 
prohibit biometric feature information from being En- 
put to the portable electronic device, if the evalua- 30 
tion Is made a predetermined number of times suc- 
cessively, as the result of the comparison by the fea- 
ture data verifying section, that the to-be-verified bi- 
ometric feature data never matches the valid bio- 
metric feature data in terms of a predetermined 35 
matching condition. 

[0051] According to the portable electronic device 
with a user verification function utilizing biometric infor- 
mation of the foregoing item (4-1), upon receipt of en- *o 
coded data via the transceiving interface, the decryption 
section restores the original to-be-verified biometric fea- 
ture data, and then, the biometric feature data verifying 
section compares/verifies the to-be-verified biometric 
feature data with valid biometric feature data. 45 
[0052] In this manner, according to the portable elec- 
tronic device of the foregoing item (4-1), the to-be- veri- 
fied biometric feature data is encoded using a public key 
before it is transmitted from the data processing device 
to the portable electronic device. Thus, even if the to- 50 
be-verif led biometric feature data should be intercepted 
using a false portable electronic device (a false IC card, 
or the like), it is still difficult to wrongfully use such to- 
be-verified biometric feature data (encoded data) in an- 
other system. Thus, a high level of security is guaran- 
teed, and user verification can be performed with se- 
cure. 

[0053] According to the portable electronic device of 



the foregoing item (4-2), in a case where a time stamp, 
which indicates the date and time to-be-verified biomet- 
ric feature data was extracted, is attached to the to-be- 
verified biometric feature data, the object person is 
judged to be the authorized user of the portable elec- 
tronic device, if predetermined matching requirements 
between the to-berverified biometric feature data and 
valid biometric feature data are met, and also if the dif- 
ference between the time stamp (extraction date-and- 
time) and the current time falls within a predetermined 
range. Accordingly, even if to-be-verified biometric fea- 
ture data to be input to the portable electronic device 
should be intercepted, and even if the stolen feature da- 
ta should be falsely used in a replay attack against the 
portable device, the difference between the time stamp 
(extraction date-and-time) and the current time be- 
comes significant. On the basis of such significant dif- 
ference, it is possible to reject access attempts using 
such stolen to-be-verified biometric feature data, so that 
the security level of the system is significantly improved. 
[0054] According to the portable electronic device of 
the foregoing item (4-3), after the object user is verified, 
the encryption section encodes at least one of the fol- 
lowing items using a secret key: user information (e.g., 
account number); the level of correlation between the 
to-be-verified biometric feature data and the valid bio- 
metric feature data; and the verification date-and-time 
(time stamp). The encoded item is then sent out to the 
data processing device as a verification result. That is, 
since the information about the verification result is en- 
coded using a secret key, the issuer of the verification 
result can be certified. At that time, since the verification 
date-and-time (time stamp) is inserted into the verifica- 
tion result, it is possible to prevent the verification result 
of the biometric feature data from being tempered or fal- 
sified. Accordingly, even when the result of the verifica- 
tion of biometric feature data, obtained within the port- 
able electronic device, is sent out to an external appa- 
ratus, a high level of security is guaranteed, thus realiz- 
ing secure user verification. At that time, since the level 
of correlation between the to-be-verified biometric fea- 
ture data and the valid biometric feature data is provided 
as a verification result, ft is possible to manage a record 
of likelihood of the matches. 

[0055] According to the portable electronic device of 
the foregoing item (4-4), if the object user is judged to 
be the authorized user of the portable device, and also 
if a message digest is attached to the to-be-verified bi- 
ometric feature data, the massage digest is encoded by 
the encryption section using a secret key, before it is 
sent out to an external apparatus as a verification result. 
Resulting from this, similar effects and benefits to those 
already described in the portable electronic device of the 
foregoing item (4-3) are guaranteed. Additionally, since 
a message digest is output as a verification result, it is 
possible to manage a record of which transaction the 
verification was made for. 

[0056] According to the portable electronic device of 
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the foregoing item (4-5), the verification log recording 
section stores the verification result, as a verification 
log, for a predetermined time period. That is, a record 
of user verification is stored in the portable electronic 
device. 

[0057] According to the portable electronic device of 
the foregoing item (4-6), upon receipt of a predeter- 
mined signal, the authorized user's public key informa- 
tion, registered in the portable electronic device, is sent 
out to an external device, tt is thus possible for the ex- 
ternal apparatus to use the public key stored in the port- 
able electronic device, without the necessity for the ex- 
ternal apparatus to hold a pre-stored public key. 
[0058] According to the portable electronic device of 
the foregoing item (4-7), as a result of the comparison 
by the feature data verifying section, if the evaluation is 
made a predetermined number of times successively, 
that the predetermined matching condition between the 
to-be-verified biometric feature data and the valid bio- 
metric feature data is not satisfied, a lock function sec- 
tion prohibits the inputting of biometric feature informa- 
tion to the portable electronic device, so that any false 
access attempts can be reliably rejected. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0059] 

FIG. 1 is a block diagram schematically showing a 
structure of a user verification system of a first em- 
bodiment of the present invention; 
FIG. 2 is a flowchart indicating an operation of the 
first embodiment; 

FIG. 3 is a block diagram schematically showing a 
structure of a user verification system of a first mod- 
ified example of the first embodiment; 
FIG. 4 is a flowchart indicating an operation of the 
first modified example of the first embodiment; 
FIG. 5 is a block diagram schematically showing a 
structure of a user verification system of a second 
modified example of the first embodiment; 
FIG. 6 is a flowchart indicating an operation of the 
second modified example of the first embodiment; 
FIG. 7 is a block diagram schematically showing a 
structure of a user verification system of a third 
modified example of the first embodiment; 
FIG. 8 is a flowchart indicating an operation of the 
third modified example of the first embodiment; 
FIG. 9 is a block diagram schematically showing a 
structure of a user verification system of a second 
embodiment of the present invention; 
FIG. 1 0 is a flowchart indicating an operation of the 
second embodiment; 

FIG. 1 1 is a block diagram schematically showing a 
structure of a user verification system of a first mod- 
ified example of the second embodiment; 
FIG. 1 2 is a flowchart indicating an operation of the 
first modified example of the second embodiment; 



FIG. 13 is a block diagram schematically showing 
a structure of a user verification system of a second 
modified example of the second embodiment; 
FIG. 14 is a flowchart indicating an operation of the 
5 second modified example of the second embodi- 
ment; 

FIG. 15 is a block diagram schematically showing 
a structure of a user verification system of a third 
modified example of the second embodiment; and 
10 FIG. 1 6 is a flowchart indicating an operation of the 
third modified example of the second embodiment. 

Best Mode for Carrying Out the Invention 

is [0060] Preferred embodiments of the present inven- 
tion will be described hereinbelow with reference to the 
relevant accompanying drawings. 

[0] Brief Description of Embodiments of the Present 
20 invention: 

[0061 ] In a first embodiment of the present invention, 
a description will be made hereinbelow of a case where 
a portable electronic device is an I C card which serves 

2s as, for example, a debit card. Precisely, in a user verifi- 
cation system of the first embodiment, a personal iden- 
tification number (PIN) has to be entered as verification. 
Additionally, the first embodiment combines another 
verification technique that employs biometric informa- 

30 tion, which is rarely stolen or duplicated, with PIN veri- 
fication, so that leakage and theft of the PIN can be sure- 
ly prevented, thereby guaranteeing high security with 
secure user identification. 

[0062] More precisely, an IC card has pre-stored valid 

35 biometric feature data, which has been extracted from 
biometric information of the authorized user of the IC 
card. If predetermined matching requirements are sat- 
isfied between the valid biometric feature data and ob- 
ject biometric feature data to be verified (hereinafter 

40 called to-be-verified biometric feature data), indicating 
that the to-be-verified biometric feature data matches 
the valid biometric feature data, a PIN stored in the IC 
card is output to a host computer (management device) 
via an interface. 

45 [0063] Accordingly, in a case where an IC card of the 
present invention serves as a debit card, after a user is 
verified in the IC card utilizing biometric information, the 
PIN stored in the IC card is directly transmitted from the 
IC card to a host computer, which will eliminate the ne- 

so cessity for the user to input his PIN in sight of a shop 
clerk, thereby preventing the possibility of the PIN being 
seen. At that time, since the PIN is encoded using a pub- 
lic key for the host computer, the security of the PIN dur- 
ing transmission is thoroughly improved. Further, a time 

55 stamp (the date and time the user verification was per- 
formed) is encoded together with the PIN. Thus, even if 
the PIN should be stolen during transmission, it is still 
possible to prevent the stolen PIN from being used to 
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access other systems later. 

[0064] In a second embodiment of the present inven- 
tion, since a public key system is employed in data com- 
munication between a portable electronic device (an IC 
card in the present embodiment) and an external data $ 
processing device (an IC card terminal in the present 
embodiment), a high level of security ability is guaran- 
teed at inputting to-be-verified biometric feature data to 
the portable electronic device and at outputting the re- 
sult of biometric feature data verification, which has io 
been performed in the portable electronic device, to the 
portable electronic device, thereby realizing secure user 
verification. 

[0065] More precisely, in the second embodiment, the 
IC card also has pre-stored valid biometric feature data, * 5 
which has been extracted from biometric information of 
the authorized user of the IC card. The user (authorized 
user) of the IC card inputs biometric information of his 
own to the IC card terminal, which then processes the 
input biometric information to extract biometric feature 20 
data. The thus extracted to-be-verified biometric feature 
data is input from the IC card terminal to the IC card. At 
that time, the to-be-verified biometric feature data is en- 
coded using a public key before it is sent out to the IC 
card. 25 
[0066] Then, if predetermined matching requirements 
are satisfied between the to-be-verified biometric fea- 
ture data and the valid biometric feature data, indicating 
that the to-be-verified biometric feature data matches 
the valid biometric feature data, the IC card merges a 30 
message digest which is attached to the to-be-verified 
biometric feature data, the biometric feature data verifi- 
cation result (the degree of correlation), the date and 
time the verification was performed, and user informa- 
tion about the authorized user of the IC card. Those 35 
merged items are encoded with a valid secret key for 
the IC card, and the encoded data is then sent out to the 
IC card terminal as a verification result. 
[0067] In this manner, since the second embodiment 
employs biometric user verification, without relying on a 40 
password, it is possible to provide a user verification 
technique suited to a tamper-resistant IC card. Further, 
since the biometric feature data is encoded using a pub- 
lic key system before the data is transmitted to the IC 
card, it is possible to protect the IC card from counterfeit 45 
biometric feature data. 

[0068] Further, in the second embodiment, the result 
of the verification performed on the IC card is encoded 
using the valid secret key stored in the IC card before it 
is sent out to an external apparatus, and the user veil- so 
fication is performed within the IC card, so that the valid 
biometric feature stored the IC card is never sent out to 
an external apparatus, and that a verification result is 
never entered from an external apparatus to the IC card. 
It is thus possible to reduce with certainty the possibility & 
of fraudulent use. 

[0069] At that time, if a verification result undergoes 
PKI (public key infrastructure) processing before it is 



output from the IC card to an external apparatus, or if a 
message digest is created and attached to the verifica- 
tion result, it is possible to lower the possibility of the 
verification result being tampered with or counterfeited 
with further certainty. 

[1] First Embodiment: 

[0070] FIG. 1 is a block diagram showing a user ver- 
ification system of a first embodiment of the present in- 
vention. As shown in FIG. 1, user verification system 
100 includes iC card (portable electronic device) 300 
serving as a debit card, IC card terminal (external data 
processing device) 200 which receives IC card 300 and 
makes a direct access to the IC card 300, and host com- 
puter (management device) 400 which accesses the IC 
card 300 via the IC card terminal 200 to carry out user 
verification utilizing a personal identification number 
(PIN) as to the authorized user of the IC card 300. 
[0071 ] Host computer 400 belongs to a bank. The au- 
thorized user has a bank account in the bank, and when 
he uses IC card 300 as a debit card, his money is sub- 
tracted from the bank account. In practical use, such a 
debit card is used in combination with an external data 
processing device such as a debit card terminal (I C card 
terminal 200, here). This external data processing de- 
vice is connected with host computer 400, which man- 
ages the balances of bank accounts, via a communica- 
tions network. 0 
[0072] iC card terminal 200 has a slot (not shown) into 
which IC card 300 is to be inserted. IC card 300 is in- 
serted into the slot, whereupon transceiving interface 
205 (first transceiving interface) of the IC card terminal 
200 comes into contact with transceiving interface (sec- 
ond transceiving interface) 301 of the IC card 300, there- 
by allowing the IC card terminal 200 and the IC card 300 
to send/receive data therebetween. In the first embodi- 
ment, transceiving interfaces 205 and 301 are contact- 
type interfaces. The present invention should by no 
means be limited to the above, and it is also possible to 
use contactless interfaces. 

[0073] IC card terminal 200 has biometric information 
measuring unit 201 , biometric feature data extracting 
section 202, time stamp generating section 203, data 
encryption section (first encryption section) 204, and 
transceiving interface 205. 

[0074] Biometric information measuring unit 201 
measures and samples biometric information of an ob- 
ject user, for example, a person who inserted the IC card 
300 into the IC card terminal 200 (this is normally the 
authorized user of the IC card 300). The biometric infor- 
mation to be sampled may be image data such as a fin- 
gerprint, iris pattern, facial pattern, retina pattern, blood 
vessel pattern, hand shape, signature, and ear shape, 
it may otherwise be time-series data such as voice, key- 
strokes, and signature dynamics. For example, in a case 
of sampling the object user's fingerprint, biometric infor- 
mation measuring unit 201 should include a fingerprint 
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input screen. The object user presses his fingertip 
against the screen, thereby allowing the biometric infor- 
mation measuring unit 201 to sample the fingerprint. 
[0075] Biometric feature data extracting section 202 
extracts b iometric feature data (hereinafter called to-be- s 
verified biometric feature data), which is for use in user 
verification, from the biometric information sampled by 
biometric information measuring unit 201 . Here, if the 
sampled biometric information is fingerprint image data, 
the feature data to be extracted from the sampled fin- 10 
gerprint image data will include the coordinates of ridge 
dividing points (minutiae), the coordinates of ridge end 
points (minutiae), the coordinates of ridge crossing 
points, the coordinates of the fingerprint core, the coor- 
dinates of deltas, ridge directions, distances between 1$ 
minutiae, the number of ridges between minutiae, and 
so on. 

[0076] Time stamp generating section 203 generates 
the date and time biometric feature data extracting sec- 
tion 202 extracted the to-be-verified biometric feature 20 
data, as a time stamp. 

[0077] Data encryption section 204 encodes the to- 
be-verified biometric feature data, which has been ex- 
tracted by biometric feature data extracting section 202, 
along with the time stamp (the date and time the to-be- 25 
verified biometric feature data was extracted; hereinaf- 
ter called the "verification date-and-time"), which has 
been generated by time stamp generating section 203, 
using a public key for IC card 300. The public key for IC 
card 300 is given in response to the issuance of a certain 30 
command (predetermined signal) to a host computer 
(not shown; the one separate from host computer 400) 
or to IC card 300. In the first embodiment, as will be de- 
scribed later, the public key for IC card 300 is stored in 
the IC card 300 itself. IC card terminal 200 issues a cer- 35 
tain command to the IC card 300, thereby obtaining the 
public key. 

[0078] Transceiving interface 205, as described 
above, comes into contact with transceiving interface 
301 of IC card 300, thereby realizing data communica- *> 
tion not only between IC card terminal 200 and IC card 
300 but also between IC card terminal 200 and host 
computer 400. 

[0079] IC card 300 of the first embodiment has a bu itt- 
in storage unit such as a ROM and a RAM, and also 45 
contains a CPU (Central Processing Unit) which carries 
out processing based on the data stored in the storage 
unit and signals received from an external apparatus. 
IC card 300 includes transceiving interface 301 , biomet- 
ric feature data register section 302, secret key register so 
section 303, clock function section 304, data encryption/ 
decryption section (serving both as a second encryption 
section and as a decryption section) 305, biometric fea- 
ture data verifying section 306, time stamp verifying sec- 
tion 307, P IN register section 308, user information reg- 55 
fster section 309, verification log recording section 31 0, 
IC card-dedicated public key register section 312, and 
management log recording section 317. 



[0080] Transceiving interface 301, as described 
above, comes into contact with transceiving interface 
205 of IC card terminal 200, thereby realizing data . 
communication between the IC card terminal 200 and 
IC card 300. 

[0081 ] Biometric feature data register section 302 has 
pre-stored valid biometric feature data of the authorized 
user of IC card 300. This valid biometric feature data is 
sampled, for example, upon issuance of IC card 300. 
While the IC card 300 is being inserted into the slot of 
IC card terminal 200, biometric information (fingerprint 
image data, and so on) of the authorized user of IC card 
300 is sampled through IC card terminal 200, and bio- 
metric feature data is extracted from the sample data. 
The thus extracted biometric feature data is written in 
biometric feature data register section 302 of IC card 
300, through IC card terminal 200, as valid biometric 
feature data. 

[0082] Secret key register section 303 has a pre- 
stored valid secret key corresponding to the public key 
for IC card 300. Clock function section 304 calculates 
the current time. 

[0083] Data encryption/decryption section 305 serves 
both as a decryption section and as an encryption sec- 
tion (second encryption section). Serving as the former, 
data encryption/decryption section 305 decodes data 
received from an external apparatus through transceiv- 
ing interface 301 , using the valid secret key registered 
in secret key register section 303. Serving as the latter, 
data encryption/decryption section 305 encodes data to 
be transmitted to host computer 400, using the public 
key for the host computer 400. In the first embodiment, 
however, data encryption/decryption section 305 func- 
tions only as a decryption section, and its function as an 
encryption section is used in the first through third mod- 
ified examples of the first embodiment. Here, as will be 
described later, original data restored by data encryp- 
tion/decryption section 305 is to-be-verified biometric 
feature data and time stamp (the date and time of ex- 
traction), which have been received from IC card termi- 
nal 200. 

[0084] Biometric feature data verifying section 306 
compares the to-be-verified biometric feature data, 
which has been received from an external apparatus 
through transceiving interface 301 , with the valid bio- 
metric feature data registered in biometric feature data 
register section 302 to evaluate whether or not the to- 
be-verified biometric feature data satisfies a predeter- 
mined matching condition, which is the measure of the 
matching between the to-be-verified biometric feature 
data and the valid biometric feature data. An example 
of the matching condition is, for example, that the cor- 
relation between (the degree of resemblance) the to-be- 
verified biometric feature data and the valid biometric 
feature data is a predetermined value or greater. 
[0085] Time stamp verifying section 307 compares 
the original time stamp, which has been restored by data 
encryption/decryption section 305, with the current time, 
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which has been calculated by clock function section 
304, and evaluates whether or not the difference be- 
tween them is within a predetermined range (for exam- 
ple, a predetermined value or lower). 
[0086] PIN register section 308 and user information s 
register section 309 serve as a user information storage 
unit. PIN register section 308 has a pre-stored personal 
identification number (password), which is requested to 
be input when IC card 300 attempts to access host com- 
puter 400. With a conventional debit card, a user has to 10 
manually input such a personal identification number 
(PIN) with a ten-key pad. User information register sec- 
tion 309 has a pre-stored account number (bank ac- 
count number, user number) of a bank account from 
which the amount spent should be subtracted, when IC 15 
card 300 is used as a debit card. 
[0087] Verification log recording section 310 holds a 
verification log for a limited time period. The verification 
log contains the results of the verification carried out by 
biometric feature data verifying section 302 and by time 20 
stamp verifying section 307, and also contains the date 
and time the verification was performed (hereinafter 
called the "verification date-and-time"), which date and 
time has been obtained by clock function section 304. 
[0088] IC card-dedicated public key register section 25 
312, as described above, has a pre-stored public key 
(predetermined public key information) for an IC card 
300, with which public key data encryption section 204 
of IC card terminal 200 encodes to-be-verified biometric 
feature data and a time stamp. Upon receipt of a prede- 30 
termined signal (certain command) through transceiving 
interface 301, IC card 300 transmits the public key 
stored in IC card-dedicated public key register section 
312, from transceiving interface 301 to IC card terminal 
200 (or host computer 400). 35 
[0089] When the PIN is transmitted to host computer 
400 as a verification result (will be described later), man- 
agement log recording section 317 records, as a man- 
agement log, the date and time the PIN was sent out, 
or the content of the transaction performed, or both of *o 
these. 

[0090] At that time, the foregoi ng biometric feature da- 
ta register section 302, secret key register section 303, 
PIN register section 308, user information register sec- 
tion 309, verification log recording section 31 0, IC card- 45 
dedicated public key register section 312, and manage- 
ment log recording section 31 7 are realized, in practical 
use, by a storage unit such as a ROM and a RAM inter- 
nally equipped in IC card 300. 

[0091 ] The foregoing clock function section 304, data so 
encryption/decryption section 305, biometric feature da- 
ta verifying section 306, and time stamp verifying sec- 
tion 307 are realized, in practical use, by a CPU built in 
IC card 300. 

[0092] Next, an operation of user verification system 55 
100 of the first embodiment will be described hereinbe- 
low, with reference to the flowchart of FIG. 2. 
[0093] When using IC card 300 as a debit card, a user 



(object person to be verified) puts the IC card 300 into 
the slot of IC card terminal 200, and then presses his 
fingertip to a fingerprint input screen, if his fingerprint 
image data is requested to be entered as the biometric 
information for use in user verification. 
[0094] Biometric information measuring unit 201 of IC 
card terminal 200 measures the user's biometric infor- 
mation (fingerprint image data) (step S11). From the bi- 
ometric information, biometric feature data extracting 
section 202 extracts to-be-verified biometric feature da- 
ta, and time stamp generating section 203 generates the 
date and time (time stamp) the to-be-verified biometric 
feature data was extracted, and the time stamp is at- 
tached to the to-be-verified biometric feature data (step 
S12). 

[0095] The to-be-verified biometric feature data, 
along with the time stamp attached thereto, is encoded 
by data encryption section 204 using a public key for IC 
card 300 (step S1 3). The public key for IC card 300, as 
described above, is read out from IC card-dedicated 
public key register section 312 of IC card 300. Upon re- 
ceipt of a specific command (predetermined signal), the 
IC card-dedicated public key register section 312 allows 
the public key to be read out therefrom, and the read- 
out public key is sent out from IC card 300 to IC card 
terminal 200. Since this key for use in encryption, which 
is sent out from IC card 300 to IC card terminal 200, is 
a public key, it does not matter if the key is sent out in 
response to a simple command. 
[0096] After that, the to-be-verified biometric feature 
data encoded by data encryption section 204 using the 
public key, is transferred/transmitted, along with the time 
stamp attached thereto, from transceiving interface 205 
to IC card 300 (step S14). 

[0097] When IC card 300 receives encoded data via 
transceiving interface 301 , data encryption/decryption 
section 305 restores the encoded data, using a valid se- 
cret key, into the original to-be-verified biometric feature 
data and time stamp (step S15). Biometric feature data 
verifying section 306 first compares the to-be-verified 
biometric feature data with the valid biometric feature 
data (stepS16). 

[0098] As a result of the comparison, if the level of 
correlation (the degree of the matching) between the to- 
be-verified biometric feature data and the valid biometric 
feature data is below a predetermined value (NO route 
of step S17), the object person is judged not to be the 
authorized user of the IC card 300 (step S22), and a 
predetermined action (for example, locking the card) is 
taken. 

[0099] Otherwise, if the level of correlation (the de- 
gree of the matching) between the to-be-verified biomet- 
ric feature data and the valid biometric feature data is a 
predetermined value or higher (YES route of step S1 7), 
time stamp verifying section 307 compares the time 
stamp restored by data encryption/decryption section 
305 with the current time calculated by clock function 
section 304 (step S18). 
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[01 00] As a result of the comparison, if the difference 
between the time stamp (the extraction date-and-time) 
and the current time exceeds a predetermined value 
(NO route of step S1 9), the object person is judged not 
to be the authorized user of the IC card 300 (step S23), 5 
and a predetermined action (for example, locking the 
card) is taken. 

[01 01 ] Otherwise, if the difference between the time 
stamp (the extraction date-and-time) and the current 
time is a predetermined value or lower (YES route of 10 
step S1 9), the object person is judged to be the author- 
ized user of the IC card 300 (step S20), the PIN and the 
account number (user number) are read out from PIN 
register section 308 and user information register sec- 
tion 309, respectively, and then output/transmitted, as '5 
the verification result ("OK"), from transceiving interface 
301 to host computer 400 via transceiving interface 205 
of IC card terminal 200 (step S21). 
[01 02] After that, IC card 300 transmits/receives data 
to/from host computer 400 in accordance with a prede- 20 
termined protocol, and similar processing to that which 
is carried out to a common debit card is performed be- 
tween host computer 400 and IC card 300. At that time, 
transceiving interface 205 of IC card terminal 200 only 
transfers (allows the data pass therethrough) the data 25 
transmitted/received between host computer 400 and 
IC card 300, without taking the data in itself. Host com- 
puter 400 receives the account number and the PIN, and 
then moves a specified amount of money from that ac- 
count to another account. The result of the transaction 30 
may be printed out by IC card terminal 200, or may be 
written in IC card 300 as a log. 
[0103] In IC card 300 of the first embodiment, verifi- 
cation results ("OKVNG") obtained by biometric feature 
data verifying section 306 and time stamp verifying sec- as 
tion 307 are held, together with the verification date- 
and-time obtained by clock function section 304, in ver- 
ification log recording section 310 for a predetermined 
time period. If the PIN and the account number are 
transmitted as a positive user verification result, the date 40 
and time of their transmission and the content of the 
transaction performed are stored in management log re- 
cording section 317 of IC card 300. 
[0104] In this manner, with user verification system 
1 00 of the first embodiment, after the matching between 
the to-be-verified biometric feature data and the valid 
biometric feature data is confirmed, the PIN and the ac- 
count number stored in IC card 300 are transmitted to 
host computer 400. The necessity for directly inputting 
PIN with a ten-key pad is thus eliminated, and the PIN so 
only passes through IC card terminal 200. It is thus pos- 
sible to minimize the risk of the PIN being stolen when 
it is input. 

[01 05] Therefore, since PIN verification is associated 
with biometric user verification utilizing biometric infor- 55 
mation, which is free of being stolen or faked, it is pos- 
sible to surely prevent the leakage and the theft of the 
PIN, so that a high level of security can be guaranteed, 



thereby realizing secure user verification. 
[01 06] Further, in user verification system 1 00 of the 
first embodiment, the to-be-verified biometric feature 
data is encoded by a public key system before the data 
is transmitted from IC card terminal 200 to IC card 300, 
and all the data having been input to IC card 300 for use 
in user verification is decoded within IC card 300. Ac- 
cordingly, the present system prevents the inputting of 
falsified to-be-verified biometric feature data, so that 
fraud can be effectively prevented, thereby guarantee- 
ing a high level of security. 

[0107] Even if to-be-verified biometric feature data 
should be stolen, with a false IC card being inserted into 
the slot of IC card terminal 200, it is still difficult to wrong- 
fully use the stolen public key in another system, be- 
cause the key is encoded by a public key system. It is 
thus possible to guarantee a high level of security, real- 
izing secure user verification. 
[0108] Further, if the stolen to-be-verified biometric 
feature data is used in a replay attack against IC card 

300, the difference between the date and time the to- 
be-verified biometric feature data was extracted and the 
current time inevitably becomes significant. Taking ad- 
vantage of this fact, user verification system 1 00 of the 
first embodiment compares the date and time the to-be- 
verified biometric feature data was extracted (time 
stamp) with the current time. Access attempts made by 
using the to-be-verified biometric feature data are re- 
jected if the difference between the time stamp (extrac- 
tion date-and-time) and the current time is significantly 
great. It is thus difficult to use the stolen to-be-verified 
biometric feature data in a replay attack, thereby guar- 
anteeing a higher level of security. 

[0109] Further, in user verification system 1 00 of the 
first embodiment, when IC card 300 receives a prede- 
termined signal (command) via transceiving interface 

301, the public key stored in IC card-dedicated public 
key register section 312 is read out and is then sent out 
to an external apparatus. Thus, even if IC card terminal 
200 (or host computer 400) stores no public key for IC 
card 300, ft is still possible to use the public key stored 
in IC card 300. 

[0110] Still further, in user verification system 100 of 
the first embodiment, since management log recording 
section 317 stores the date and time the PIN and the 
account number were transmitted and the content of the 
transaction performed, it is possible for the user of IC 
card 300 to keep a management log for himself, sepa- 
rate from the one for the system. The user log will serve 
as a safeguard against a low-reliability system. 
[0111] Furthermore, in user verification system 1 00 of 
the first embodiment, verification log recording section 
310 of IC card 300 stores verification results 
("OKVNG") obtained by biometric feature data verifying 
section 306 and time stamp verifying section 307, as a 
verification log, for a predetermined time period. That is, 
a history of user verification is stored in IC card 300. 
[01 12] In the foregoing first embodiment, the present 
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Invention is applied to IC card 300 that serves as a debit 
card. The present invention should by no means be lim- 
ited to the above, and IC card terminal 200 can be re- 
placed with an IC card reader, and host computer 400 
can be replaced with a personal computer (PC), thereby 5 
enabling the application of the present invention to a 
system for controlling access to the PC. 

[1-1] First Modified Example of the First Embodiment 

w 

[01 13] FIG. 3 is a block diagram showing a structure 
of a user verification system according to a first modifi- 
cation of the first embodiment of the present invention. 
Like reference numbers designate similar parts or ele- 
ments throughout several views of the present embod- is 
iment, so their detailed description is omitted here. 
[0114] As shown in FIG. 3, in user verification system 
1 00A of the first modification of the first embodiment, 
the following functions are added to IC card 300 of user 
verification system 1 00 of FIG. 1 . 20 
[01 15] In other words, user verification system 1 00A 
is an advanced version of user verification system 100. 
In user verification system 100 A, a PIN and an account 
number are encoded using a public key for host compu- 
ter 400, before they are transmitted to host computer 25 
400. At the time the PIN and the account number are 
encoded, a time stamp (verification date-and-time) is 
added to them. 

[01 1 6] For this purpose, IC card 300 of user verifica- 
tion system 100 A includes host computer-dedicated 30 
public key register section (management device-dedi- 
cated public key register section) 311 , which has a pre- 
stored public key for host computer 400. Such a host 
computer-dedicated public key register section 311 is, 
in practical use, realized by an internal storage unit, 35 
such as a ROM and a RAM, of IC card 300. 
[0117] In IC card 300 of user verification system 100A, 
if an object person is judged to be the authorized user 
of portable electronic device 300, as a result of the ver- 
ification carried out by biometric feature data verifying 40 
section 306 and time stamp verifying section 307, the 
date and time the verification was performed is obtained 
by clock function section 304, and the verification date- 
and-time is added to the PIN and the account number 
to be transmitted to host computer 400, as a time stamp. 45 
[01 1 8] The foregoing data encryption/decryption sec- 
tion 305 encodes the PIN and the account number to be 
transmitted to host computer 400, along with the time 
stamp (the verification date-and-time), using a public 
key for host computer 400. so 
[01 19] Referring now to the flowchart of FIG. 4, a de- 
scription will be made hereinbelow of an operation of 
user verification system 1 00A of the first modification to 
the first embodiment. Like step numbers designate the 
same processing as in FIG. 2, so their detailed descrip- 55 
tion is omitted here. 

[01 20] If the object person is judged to be the author- 
ized user of portable electronic device 300 in step S20, 



clock function section 304 obtains the date and time 
when the verification was performed, and the verifica- 
tion date-and-time is attached, as a time stamp, to the 
PIN and the account number to be transmitted to host 
computer 400 (step S31). 

[0121] After that, the PIN and the account number are 
encoded by data encryption/decryption section 305 with 
a public key for host computer 400 (step S32), and then 
transmitted/transferred from transceiving interface 301 
to host computer 400 via transceiving interface 205 of 
IC card terminal 200 (step S33). 
[01 22] User verification system 1 00A of the first mod- 
ification of the first embodiment guarantees similar ef- 
fects and benefits to those already described in the first 
embodiment. Additionally, even if the verification re- 
sults, including the PIN, are intercepted by undesirable 
parties during their transmission to an external appara- 
tus, it is still difficult for those third parties to wrongfully 
use the stolen PIN in another system, because the ver- 
ification results (a PIN, an account number, the verifica- 
tion date-and-time, and so on) have been encoded us- 
ing the public key for host computer 400 before they are 
sent out from IC card 300 to host computer 400. Thus 
the security level of the system is significantly improved. 
[0123] As to a verification result transmitted to host 
computer 400 in user verification system 100A, the re- 
sult contains the date and time the verification was per- 
formed, which has been attached to the verification re- 
sult as a time stamp. As a result, even if the verification 
result (PIN) should be intercepted and then wrongfully 
used, host computer 400, which monitors the verifica- 
tion date-and-time attached to the PIN, can recognize 
that a wrongfully obtained PIN is used, based on the dif- 
ference between the verification date-and-time (time 
stamp) and the current time. 

[01 24] More precisely, if such a stolen PIN is used to 
access host computer 400, the difference between the 
verification date-and-time (time stamp) and the current 
time inevitably becomes great. Host computer 400 uses 
this trait to evaluate whether or not the object PIN is an 
intercepted one, and upon recognition of the stolen PIN, 
host computer 400 rejects the access attempt. It is thus 
difficult to reuse the stolen PIN, so that a higher level of 
security is guaranteed. It is difficult to reuse the same 
data. 

[1 -2] Second Modified Example of the First 
embodiment: 

[0125] FIG. 5 is a block diagram showing a structure 
of a user verification system according to a second mod- 
ification to the first embodiment of the present invention. 
Like reference numbers designate similar parts or ele- 
ments throughout several views of the present embod- 
iment, so their detailed description is omitted here. 
[0126] As shown in FIG. 5, in user verification system 
1 00B of the second modification of the first embodiment, 
the following functions (of magnetic data read-out unit 
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206) are added to IC card terminal 200 of user verifica- 
tion system 100A of FIG. 3. 

[0127] More precisely, in the second modification to 
the first embodiment, user information including an ac- 
count number (bank account number, user number) is 
previously recorded, as magnetic data, in magnetic 
stripes (recording unit; not shown) prepared on the sur- 
face of IC card 300, as in the case of a magnetic card. 
IC card terminal 200 has magnetic data read-out unit 
206 for reading-out magnetic data stored in the magnet- 
ic stripes on the surface of IC card 300. 
[01 28] Referring now to the flowchart of FIG. 6, a de- 
scription will be made hereinbelow of an operation of 
user verification system 100B of the second modifica- 
tion to the first embodiment. Like step numbers desig- 
nate the same processing throughout FIG. 2, FIG. 4, and 
FIG. 6, so their detailed description is omitted here. 
[01 29] In user verification system 1 00B, when IC card 
300 is used as a debit car, a user (object person to be 
verified) first inserts IC card 300 into the slot of IC card 
terminal 200. Magnetic data read-out unit 206 reads out 
magnetic data, that is, user information such as an ac- 
count number (bank account number, user number), 
from magnetic stripes prepared on the surface of IC card 
300 (stepSIO). 

[01 30] After that, if the object user is judged to be the 
authorized user of IC card 300 in step S20, clock func- 
tion section 304 obtains the date and time when the ver- 
ification was performed, and the verification date-and- 
time is attached, as a time stamp, to the PIN to be trans- 
mitted to host computer 400 (step S31 *). 
[0131] The PIN is encoded, along with the time stamp 
(the verification date-and-time), by data encryption/de- 
cryption section 305 using a public key for host compu- 
ter 400 (step S32 1 ), and then passes through transcerv- 
ing interface 301 and transceiving interface 205 of IC 
card terminal 200. The encoded PIN, together with the 
account number (bank account number, user number) 
read out from the magnetic stripes, is transmitted/trans- 
ferred from transceiving interface 205 to host computer 
400 (step S33'). 

[0132] In this modification, since user information 
such as the account number (bank account number, us- 
er number) is recorded in the magnetic stripes on the 
surface of IC card 300, user information register section 
309 built in IC card 300 may be optional. 
[0133] In this manner, user verification system 100B 
of the second modification of the first embodiment guar- 
antees similar effects and benefits to those already de- 
scribed in the first modification to the first embodiment. 
Additionally, user verification system 100B is applicable 
in a case where a portable electronic device is an IC 
card that is equipped with a function (magnetic stripes) 
of a magnetic card. Moreover, since IC card terminal 200 
is capable of coping with both of existing magnetic cards 
and IC cards, those two different types of cards can be 
used in user verification system 100B. 



[1-3] Third Modified Example of the First Embodiment: 

[0134] FIG. 7 is a block diagram showing a structure 
of a user verification system according to a third modi- 
5 fication to the first embodiment of the present invention. 
Like reference numbers designate similar parts or ele- 
ments throughout several views of the present embod- 
iment, so their detailed description is omitted here. 
[01 35] As shown in FIG. 7, in user verification system 
10 1 00C of the third modification to the first embodiment, 
the following functions (of verification counter section 
313 and IC card lock section 314) are added to IC card 
300 of user verification system 100B of FIG. 5. 
[01 36] More precisely, biometric feature data verifying 
section 306 compares to-be-verified biometric feature 
data with valid biometric feature data, and if the com- 
parison result drops below a predetermined level of cor- 
relation a predetermined times consecutively, IC card 
300 is locked. A function for locking IC card 300 is 
20 equipped to IC card 300 itself. 

[0137] Thus IC card 300 of user verification system 
1 00A is equipped with the functions of verification coun- 
ter section 31 3 and IC card lock section 31 4. These ver- 
ification counter section 313 and IC card lock section 
25 (lock function section) 31 4 are, in practical use, realized 
by a CPU built in IC card 300. 
[01 38] Here, if biometric feature data verifying section 
306 obtains a comparison result below a predetermined 
correlation level more than one time consecutively, ver- 
so rfication counter section 313 counts the occurrence of 
such comparison results. 

[01 39] When the count value obtained by verification 
counter section 313 reaches the predetermined value, 
IC card lock section 314 locks IC card 300 to prohibit 

35 the inputting of biometric feature data to IC card 300. 
[0140] Referring now to the flowchart of FIG. 8, a de- 
scription will be made hereinbelow of an operation of 
user verification system 100C of the third modification 
to the first embodiment. Like step numbers designate 

40 the same processing throughout FIG. 2, FIG. 4, and FIG. 
6, so their detailed description is omitted here. If It is 
judged that the correlation (the degree of a matching) 
between the to-be-verified biometric feature data and 
the valid biometric feature data drops below a predeter- 

45 mined value (NO route of step S1 7) , verification counter 
section 313 increments its count value by one (step 
S41), and it is then evaluated whether or not the count 
value reaches a predetermined value (step S42). 
[0141] If the evaluation yields a negative result (NO 

so route of step S42), a signal (command) for instructing 
IC card terminal 200 to carry out the measurement of 
biometric information is transmitted from IC card 300 to 
IC card terminal 200 once again, and the processing of 
step S11 through step S17 is then repeated once again. 

S5 [0142] Otherwise, if the evaluation result is positive 
(YES route of step S42), IC card lock section 314 locks 
IC card 300 to prohibit the inputting of biometric feature 
data to IC card 300 (step S43). 
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[0143] In this manner, user verification system 100C 
of the third modification of the first embodiment guaran- 
tees similar effects and benefits to those already de- 
scribed in the second modification to the first embodi- 
ment. Additionally, if biometric feature data verifying 5 
section 306 obtains the comparison result a predeter- 
mined times consecutively that the matching condition 
between the to-be-verified biometric feature data and 
the valid biometric feature data is not satisfied, IC card 
lock section 31 4 locks IC card 300 to prohibit the input- "> 
ting of biometric feature data to IC card 300, thereby 
preventing unauthorized accessing with reliability. 

[2] Second embodiment: 

15 

[0144] FIG. 9 is a block diagram showing a structure 
of a user verification system according to a second em- 
bodiment of the present invention. Like reference num- 
bers designate similar parts or elements throughout 
several views of the present embodiment, so their de- 20 
tailed description is omitted here. 
[0145] As shown in FIG. 9 t user verification system 
500 of the second embodiment includes IC card (porta- 
ble electronic device) 300, IC card terminal (external da- 
ta processing device) 200 which receives IC card 300 25 
and makes a direct access to the IC card 300. IC card 
300 of the second embodiment may optionally have a 
function of a debit card, as in the case of the first em- 
bodiment. 

[0146] IC card terminal 200 of the second embodi- 30 
ment, as in the case of the first embodiment, has a slot 
(not shown) for receiving IC card 300. At an instant IC 
card 300 is inserted into this slot, transceiving interface 
(first transceiving interface) 205 of IC card terminal 200 
comes into contact with transceiving interface (second 35 
transceiving interface) 301 of IC card 300, so that data 
can be transmitted/received between IC card terminal 
200 and IC card 300. In the second embodiment, also, 
transceiving interfaces 205, 301 are contact-type inter- 
faces. The present invention, however, should by no 40 
means be limited to this, contactless interfaces can also 
be available. 

[01 47] IC card terminal 200 has biometric information 
measuring unit 201 , biometric feature data extracting 
section 202, data encryption section (first encryption 45 
section) 204, and transceiving interface 205. 
[0148] Biometric information measuring unit 201, as 
in the case of the first embodiment, measures/samples 
biometric information of an object user, a person who 
inserted IC card 300 into the slot of IC card terminal 200 so 
(probably the authorized user of IC card 300). Biometric 
feature data extracting section 202, as in the case of the 
first embodiment, extracts to-be-verified biometric fea- 
ture data from the biometric information measured by 
biometric information measuring unit 201 . As to biomet- ss 
ric information and biometric feature data to be extract- 
ed from the biometric feature data, similar kinds of bio- 
metric data to those described in the first embodiment 



are used, so their detailed description is omitted here. 
[0149] Data encryption section 204 encodes the to- 
be-verified biometric f eatu re data extracted by biometric 
feature data extracting section 202, using a public key 
for IC card 300. At that time, as in the first embodiment, 
the public key for IC card 300 is provided by a host com- 
puter (not shown; the one separate from host computer 
400) connected with IC card terminal 200, or it is pro- 
vided by IC card 300 in response to a specific command 
(predetermined signal) issued to ICcard 300. In the sec- 
ond embodiment, also, IC card-dedicated public key 
register section 312 of IC card 300 has a public key for 
IC card 300, and IC card terminal 200 issues the specific 
command to IC card 300 to obtain the public key. 
[01 50] As in the foregoing description, transceiving In- 
terface 205 comes into contact with transceiving inter- 
face 301 of IC card 300, thereby enabling data commu- 
nication between IC card terminal 200 and IC card 300. 
[0151] IC card 300 of the second embodiment, as of 
the first embodiment, has a built-in storage unit such as 
a ROM and a RAM, and also contains a CPU which car- 
ries out processing based on the data stored in the stor- 
age unit and signals received from an external appara- 
tus. IC card 300 includes transceiving interface 301 , bi- 
ometric feature data register section 302, secret key 
register section 303, data encryption/decryption section 
(serving both as a second encryption section and as a 
decryption section) 305, biometric feature data verifying 
section 306, and IC card-dedicated public key register 
section 312. 

[0152] Transceiving interface 301 , as in the foregoing 
description, comes into contact with transceiving inter- 
face 205 of IC card terminal 200, thereby enabling data 
communication between IC card terminal 200 and IC 
card 300. 

[01 53] Biometric feature data register section 302 has 
pre-stored valid biometric feature data of the authorized 
user of IC card 300. This valid biometric feature data is 
registered, for example, when IC card 300 is initially is- 
sued, in the similar way to that described in the first em- 
bodiment. 

[01 54] As in the first embodiment, secret key register 
section 303 has a pre-stored registered secret key cor- 
responding to the public key for IC card 300. 
[01 55] Data encryption/decryption section 305 serves 
both as a decryption section and as an encryption sec- 
tion (second encryption section). Serving as the former, 
data encryption/decryption section 305 decodes the da- 
ta received from an external apparatus through trans- 
ceiving interface 301 , using the valid secret key regis- 
tered in secret key register section 303. Serving as the 
latter, data encryption/decryption section 305 encodes 
data to be transmitted to host computer 400, using the 
public key for the host computer 400. In the second em- 
bodiment, however, data encryption/decryption section 
305 functions only as a decryption section, and its func- 
tion as an encryption section is used in first through third 
modified examples of the second embodiment. Here, as 
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will be described later, original data restored by data en- 
cryption/decryption section 305 is to-be-verified btomet- 
ric feature data which has been sent out from IC card 
terminal 200. 

[0156] Biometric feature data verifying section 306 5 
compares the to-be-verified biometric feature data, 
which has been received from an external apparatus 
through transceiving interface 301 , with the valid bio- 
metric feature data registered in biometric feature data 
register section 302 to evaluate whether or not the to- to 
be-verified biometric feature data satisfies a predeter- 
mined matching condition, which is the measure of the 
matching between the to-be-verified biometric feature 
data and the valid biometric feature data. That is, it is 
evaluated whether or not the correlation (the degree of 15 
resemblance) between the to-be-verified biometric fea- 
ture data and the valid biometric feature data takes a 
predetermined value or greater. 
[0157] IC card-dedicated public key register section 
312, as described above, has a pre-stored public key 20 
(predetermined public key information) for an IC card 
300, which is used by public key data encryption section 
204 of IC card terminal 200 to encode to-be-verified bi- 
ometric feature data and a time stamp. Upon receipt of 
a predetermined signal (certain command) through 25 
transceiving interface 301, IC card 300 transmits the 
public key stored in IC card-dedicated public key regis- 
ter section 312, from transceiving interface 301 to IC 
card terminal 200. 

[01 58] At that time, the foregoing biometric feature da- 30 
ta register section 302, secret key register section 303, 
and IC card-dedicated public key register section 312 
are realized, in practical use, by a storage unit such as 
a ROM an a RAM internally equipped in IC card 300. 
[01 59] The foregoing data encryption/decryption sec- 35 
tion 305 and biometric feature data verifying section 306 
are realized, in practical use, by a CPU built in IC card 
300. 

[0160] Next, an operation of user verification system 
500 of the second embodiment will be described here- *o 
inbelow, with reference to the flowchart of FIG. 1 0. Like 
step numbers designate the same processing through- 
out FIG. 2, FIG. 4, and FIG. 6, so their detailed descrip- 
tion is omitted here. 

[0161] When using IC card 300 as a debit card, a user 45 
(object person to be verified) puts the IC card 300 into 
the slot of IC card terminal 200, and then presses his 
fingertip to a fingerprint input screen, if his fingerprint 
image data is requested to be input as the biometric in- 
formation for use in user verification. so 
[01 62] Biometric information measuring unit 201 of IC 
card terminal 200 measures the user's biometric infor- 
mation (fingerprint image data) (step S11). From the bi- 
ometric information, biometric feature data extracting 
section 202 extracts to-be-verified biometric feature da- 55 
ta (stepS121). 

[01 63] The to-be-verified biometric f eatu re data is en- 
coded by data encryption section 204 using a public key 



for IC card 300 (step S131). The public key for IC card 
300, as described above, is read out from IC card-ded- 
icated public key register section 312 of IC card 300. 
Upon receipt of a specific command (predetermined sig- 
nal), the IC card-dedicated public key register section 
312 allows the public key to be read out therefrom, and 
the read-out public key is sent out from IC card 300 to 
IC card terminal 200. Since this key for use in encryp- 
tion, which is sent out from IC card 300 to IC card ter- 
minal 200, is a public key, it does not matter if the key 
is sent out in response to a simple command. 
[0164] After that, the to-be-verified biometric feature 
data encoded by data encryption section 204 using the 
public key is transferred/transmitted from transceiving 
interface 205 to IC card 300 (step S141). 
[0165] When IC card 300 receives encoded data via 
transceiving interface 301 , data encryption/decryption 
section 305 restores the encoded data, using a valid se- 
cret key, into the original to-be-verified biometric feature 
data (step S151). Biometric feature data verifying sec- 
tion 306 first compares the to-be-verified biometric fea- 
ture data with the valid biometric feature data (step S1 6). 
[0166] As a result of the comparison, if the level of 
correlation (the degree of the matching) between the to- 
be-verified biometric feature data and the valid biometric 
feature data is below a predetermined value (NO route 
of step S17), the object person is judged not to be the 
authorized user of the IC card 300 (step S22), and a 
predetermined action (for example, locking the card) is 
taken. 

[0167] Otherwise, if the level of correlation (the de- 
gree of a matching) between the to-be-verified biometric 
feature data and the valid biometric feature data is a pre- 
determined value or higher (YES route of step S17), the 
object person is judged to be the authorized user of the 
IC card 300 (step S24). After that, IC card 300 transmits/ 
receives data to/from IC card terminal 200 in accord- 
ance with a predetermined protocol. 
[0168] In this manner, with user verification system 
500 of the second embodiment, the to-be-verified bio- 
metric feature data is encoded by a public key system 
before the data is transmitted from IC card terminal 200 
to IC card 300, and all the data having been input to IC 
card 300 for use in user verification is decoded within 
IC card 300. Accordingly, the present system prevents 
the inputting of falsified to-be-verified biometric feature 
data, so that fraud can be effectively prevented, thereby 
guaranteeing a high level of security. 
[0169] Even if to-be-verified biometric feature data 
should be stolen, with a false IC card being inserted into 
the slot of IC card terminal 300, it is still difficult to wrong- 
fully use the stolen public key in another system, be- 
cause the key is encoded by a public key system. It is 
thus possible to guarantee a high level of security, real- 
izing secure user verification. 
[0170] Further, in user verification system 500 of the 
second embodiment, when IC card 300 receives a pre- 
determined signal (command) via transceiving interface 
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301 , the public key stored in IC card-dedicated public 
key register section 312 is read out and is then sent out 
to an external apparatus. Thus, it is possible for IC card 
terminal 200 to use the public key stored in IC card 300 
in encryption, with no necessity for IC card terminal 200 5 
to store any public key for IC card 300. 
[0171] The foregoing description of the first embodi- 
ment was made on a case where a portable electronic 
device is an I C card, and a data processing device is an 
IC card terminal. The present invention should by no io 
means be limited to this, and it is also applicable to other 
technical fields, such as automatic teller machines 
(ATMs), credit card terminals, and PC access-managing 
systems. 

15 

[2-1] First Modified Example of the Second 
embodiment: 

[0172] FIG. 11 is a block diagram showing a structure 
of a user verification system according to a first modifi- 20 
cation to the second embodiment of the present inven- 
tion. Like reference numbers designate similar parts or 
elements throughout several views of the present em- 
bodiment, so their detailed description is omitted here. 
[01 73] As shown in FIG. 1 1 , in user verification system 25 
500A of the first modification of the second embodiment, 
the following functions are added to IC card terminal 200 
and tC card 300 of user verification system 500 of FIG. 9. 
[0174] IC card terminal 200 has time stamp generat- 
ing section 203 which generates a time stamp as the 30 
date and time biometric feature data extracting section 
202 extracted the to-be-verified biometric feature data. 
Data encryption section 204 then encodes the to-be- 
verified biometric feature data, which has been extract- 
ed by biometric feature data extracting section 202, 35 
along with the time stamp (the date and time the to-be- 
verified biometric feature data was extracted; herein af- 
ter called the "verification date-and-time"), which has 
been generated by time stamp generating section 203, 
using a public key for IC card 300. Transceiving inter- 40 
face 205 sends out the to-be-verified biometric feature 
data, which has been encoded in a state that a time 
stamp is attached thereto. 

[01 75] IC card 300 has clock function section 304 and 
time stamp verifying section 307. The functions of these 
clock function section 304 and time stamp verifying sec- 
tion 307 are, in practical use, realized by a CPU built in 
IC card 300. 

[01 76] Clock function section 304 calculates the cur- 
rent time. Time stamp verifying section 307 compares so 
the time stamp restored by data encryption/decryption 
section 305 with the current time calculated by clock 
function section 304, and then evaluates whether or not 
the difference therebetween falls within a predeter- 
mined range (e.g., a predetermined value or smaller), ss 
[01 77] Referring now to the flowchart of FIG . 1 2, a de- 
scription will be made hereinbelow of an operation of 
user verification system 500A of the first modification to 



the second embodiment. Like step numbers designate 
the same processing as in FIG. 2, so their detailed de- 
scription is omitted here. As is apparent from the com- 
parison between FIG. 2 and FIG. 12, the operation in 
the first modification of the second embodiment is nearly 
the same as the operation in the first embodiment, ex- 
cept that the outputting of the verification results (user 
number and PIN) (step S21) is not executed in the first 
modification of the second embodiment. 
[0178] A user (object person to be verified) puts the 
tC card 300 into the slot of IC card terminal 200, and 
then presses his fingertip to a fingerprint input screen, 
if his fingerprint image data is requested to be input as 
biometric information for use in user verification. 
[0179] Biometric information measuring unit 201 of IC 
card terminal 200 measures the user's biometric infor- 
mation (fingerprint image data) (step S11). From the bi- 
ometric information, biometric feature data extracting 
section 202 extracts to-be-verified biometric feature da- 
ta, and time stamp generating section 203 generates the 
date and time (time stamp) the to-be-verified biometric 
feature data was extracted, and the time stamp is at- 
tached to the to-be-verified biometric feature data (step 
S12). 

[0180] The to-be-verified biometric feature data, 
along with the time stamp attached thereto, is encoded 
by data encryption section 204 using a public key for IC 
card 300 (step S13), and is then transferred/transmitted 
from transceiving interface 205 to IC card 300 (step 
S14). 

[0181] When IC card 300 receives encoded data via 
transceiving interface 301 , data encryption/decryption 
section 305 restores the encoded data, using a valid se- 
cret key, into the original to-be-verified biometric feature 
data and time stamp (step S15). Biometric feature data 
verifying section 306 first compares the to-be-verif ied- 
biometric feature data with the valid biometric feature 
data (step S16). 

[0182] As a result of the comparison, if the level of 
correlation (the degree of the matching) between the to- 
be-verified b iometric feature data and the valid biometric 
feature data is below a predetermined value (NO route 
of step S1 7), the object person is judged not to be the 
authorized user of the IC card 300 (step S22), and a 
predetermined action (for example, locking the card) is 
taken. 

[0183] Otherwise, if the level of correlation (the de- 
gree of the matching) between the torbe-verif ied biomet- 
ric feature data and the valid biometric feature data is a 
predetermined value or higher (YES route of step S1 7), 
time stamp verifying section 307 compares the time 
stamp restored by data encryption/decryption section 
305 with the current time calculated by clock function 
section 304 (step S18). 

[01 84] As a result of the comparison, if the difference 
between the time stamp (the extraction date-and-time) 
and the current time exceeds a predetermined value 
(NO route of step S19), the object person is judged not 
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to be the authorized user of the IC card 300 (step S23), 
and a predetermined action (for example, locking the 
card) is taken. 

[0185] Otherwise, if the difference between the time 
stamp (the extraction date-and-time) and the current 
time is a predetermined value or lower (YES route of 
stepS 19), the object person is judged to be the author- 
ized user of the IC card 300 (step S20). After that, IC 
card 300 transmits/receives data to/from IC card termi- 
nal 200 in accordance with a predetermined protocol. 
[0186] In this manner, user verification system 500 A 
of the first modification to the second embodiment guar- 
antees similar effects and benefits to those already de- 
scribed in the second embodiment. Additionally, even if 
to-be-verified biometric feature data should be inter- 
cepted during its transmission from IC card terminal 200 
to IC card 300, and even if the stolen feature data should 
be utilized in a replay attack against IC card 300, the 
difference between the time stamp (the extraction date- 
and-time) and the current time becomes significant. On 
the basis of such significant difference, it is possible to 
reject access attempts using such stolen to-be-verified 
biometric feature data, so that the security level of the 
system is significantly improved. 
[0187] Hence, as described in the first embodiment, 
if the stolen to-be-verified biometric feature data is used 
in a replay attack against IC card 300, the difference be- 
tween the date and time the to-be-verified biometric fea- 
ture data was extracted and the current time inevitably 
becomes significant. Taking advantage of this fact, user 
verification system 500A of the first modification to the 
second embodiment compares the date and time the to- 
be-verified biometric feature data was extracted (time 
stamp) with the current time. Access attempts made by 
using the to-be-verified biometric feature data are re- 
jected if the difference between the time stamp (extrac- 
tion date-and-time) and the current time is significantly 
great. It is thus difficult to use the stolen to-be-verified 
biometric feature data in a replay attack, thereby guar- 
anteeing a high level of security. 

[2-2] Second Modified Example of the Second 
embodiment: 

[0188] FIG. 1 3 is a block diagram showing a structure 
of a user verification system according to a second mod- 
ification to the second embodiment of the present inven- 
tion. Like reference numbers designate similar parts or 
elements throughout several views of the present em- 
bodiment, so their detailed description is omitted here. 
[0189] As shown in FIG. 13, in user verification sys- 
tem 500B of the second modification of the second em- 
bodiment, the following functions are added to IC card 
300 of user verification system 500A of FIG. 11 . 
[01 90] I n user verification system 500B, some contriv- 
ance is made in the transmission of the verification re- 
sults from IC card 300 to IC card terminal 200, which 
transmission is carried out after the object user is judged 



to be the authorized user of IC card 300 (following step 
S20) in the foregoing user verification system 500, 
500A. 

[0191] IC card 300 of the second modification to the 
s second embodiment thus includes user information reg- 
ister section 309 and verification log recording section 
310. These user information register section 309 and 
verification log recording section 310 are, in practical 
use, realized by a storage unit, such as a ROM and a 
10 RAM, built in IC card 300. 

[01 92] Here, user information register section 309 has 
pre-stored user information such as an account number, 
a bank account number, and a user number. 
[0193] As in the case of the first embodiment, verifi- 
es cation log recording section 31 0 holds a verification log 
for a limited time period. The verification log contains 
the results of the verification carried out by biometric f ea- 
ture data verifying section 302 and time stamp verifying 
section 307, and also the verification date-and-time ob- 
20 tained by clock function section 304. 

[01 94] Data encryption/decryption section 305 of user 
verification system 500B encodes the data to be trans- 
mitted to IC card terminal 200, along with the time stamp 
(the verification date-and-time), using a valid secret key 
25 for IC card terminal 200 stored in secret key register sec- 
tion 303. 

[0195] Referring now to the flowchart of FIG. 14,ade- 
scription will be made hereinbelow of an operation of 
user verification system 500B of the second modifica- 

30 tJon to the second embodiment. 

[0196] In user verification system 500B, after the ob- 
ject user is judged to be the authorized user of IC card 
300, following the flowchart of FIG. 10 or FIG. 12, that 
is, after step S20, the following are merged as verifica- 

35 tJon data (verification results) (step S51 ) : (1 ) user infor- 
mation, such as user number, stored in user information 
register section 309; (2) the level of con-elation between 
to-be-verified biometric feature data and valid biometric 
feature data, which correlation level has been obtained 

40 by biometric feature data verifying section 306; and (3) 
the verification date-and-time obtained by clock function 
section 304. 

[0197] After that, data encryption/decryption section 
305 encodes the verification data using the valid secret 

45 key stored in secret key register section 303 (step S52) f 
and the encoded data is then sent out from transceiving 
interface 301 to IC card terminal 200 (step S53). 
[0198] Also in the second embodiment, verification 
log recording section 31 0 of IC card 300 stores a verifi- 

50 cation log for a predetermined time period. The verifica- 
tion log involves the verification results ("OKTNG") ob- 
tained by biometric feature data verifying section 306 
and time stamp verifying section 307, and the verifica- 
tion date-and-time obtained by clock function section 

55 304. As such a verification log, the verification data 
which has been generated (merged) in step S51 may 
be stored in verification log recording section 31 0. 
[0199] In this manner, user verification system 500B 
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of the second modification of the second embodiment 
guarantees similar effects and benefits to those already 
described in the first modification of the second embod- 
iment. Additionally, the verification result to be provided 
is not a simple "OK" or B NG" signal, but the following are 5 
provided after their being encoded with the valid secret 
key stored within IC card 300: user information; the level 
of correlation between to-be-verified biometric feature 
data and valid biometric feature data; and the verifica- 
tion date-and-time. The encoded data is sent out to IC *o 
card terminal 200 via transceiving interface 301 . 
[0200] In other words, the verification result to be sent 
out is the information more complicated than the simple 
"OKVNG" signal, and the information is encoded using 
the secret key before it is sent out. ft thus becomes dif- is 
ficuft to tamper with such complicated information, in 
comparison with the simple "OKVNG" signal. In addi- 
tion, the issuer of the verification result can be certified. 
Further, the verification date-and-time (time stamp) is 
inserted into the verification result, making it difficult to 20 
use the verification result in another system. It is thus 
possible to surety prevent the result of verification of bi- 
ometric feature data from being tampered with or falsi- 
fied. 

[0201] Accordingly, even when the result of the veri- 25 
ftcation of biometric feature data, obtained within IC card 
300, is sent out to an external apparatus, a high level of 
security can be guaranteed, thus realizing safe user ver- 
ification. At that time, since the level of correlation be- 
tween the to-be-verified biometric feature data and the 30 
valid biometric feature data is provided as a verification 
result, it is possible to manage the record of with what 
degree of certainty the user authentication was estab- 
lished. 

[0202] Further, in user verification system 500B, ver- 35 
ifteation log recording section 31 0 of IC card 300 stores 
the verification results (OK/NG) obtained by biometric 
feature data verifying section 306 and time stamp veri- 
fying section 307, and it also holds the result of the merg- 
ing in step S51 for a predetermined time period. Thus, *o 
a record of the user verification performed is stored in 
IC card 300. 

[2-3] Third Modified Example of the Second 

Embodiment: 45 

[0203] FIG. 1 5 is a block diagram showing a structure 
of a user verification system according to a third modi- 
fication to the second embodiment of the present inven- 
tion. Like reference numbers designate similar parts or so 
elements throughout several views of the present em- 
bodiment, so their detailed description is omitted here. 
[0204] As shown in FIG. 15, in user verification sys- 
tem 500C of the third modification to the second embod- 
iment, the following functions are added to IC card ter- ss 
minal 200 and IC card 300 of user verification system 
500B of FIG. 13. 

[0205] More precisely, IC card terminal 200 includes 



electronic billing section 207 and message digest cre- 
ating section 208. 

[0206] Electronic billing section 207 creates an elec- 
tronic bill (transfer data) to be attached to to-be-verified 
biometric feature data, when the to-be-verified biometric 
feature data is sent out to IC card 300. Message digest 
creating section 208 generates a message digest, a val- 
ue which is obtained by inputting the electronic bill 
(transfer data) created by electronic billing section 207 
into a predetermined one-way function. 
[0207] The message digest, which has been created 
by message digest creating section 208, is encoded by 
data encryption section 204 together with the to-be-ver- 
ified biometric feature data, and is then transmitted from 
transceiving interface 205 to IC card 300. 
[0208] Further, IC card 300 has a function of message 
digest receiving section 31 6. Message digest receiving 
section 316 receives a message digest that is restored 
by data encryption/decryption section 305. 
[0209] Referring now to the flowchart of FIG. 1 6, a de- 
scription will be made hereinbelow of an operation of 
user verification system 500B of the third modification 
to the second embodiment. 

[0210] In user verification system 500C, after an ob- 
ject user is verified following the flowchart of FIG. 1 0 or 
FIG. 1 2, that is, after step S20, the following are merged 
as verification data (verification results) (step S61) : (1) 
user information, such as user number, stored in user 
information register section 309; (2) the level of correla- 
tion between to-be-verified biometric feature data and 
valid biometric feature data, which correlation level has 
been obtained by biometric feature data verifying sec- 
tion 306; (3) verification date-and-time obtained by clock 
function section 304; and (4) a message digest received 
by message digest receiving section 316. 
[0211] After that, data encryption/decryption section 
305 encodes the verification data using the valid secret 
key stored in secret key register section 303 (step S62), 
and the encoded data is then sent out from transceiving 
interface 301 to IC card terminal 200 (step S63). 
[0212] Here, in step S61, the foregoing data of (1) 
through (4) may further be merged with another mes- 
sage digest newly generated within IC card 300 and with 
the date and time the transaction permission was given 
to this message digest. 

[0213] In this manner, user verification system 500C 
of the third modification of the second embodiment guar- 
antees similar effects and benefits to those already de- 
scribed in the second modification of the second em- 
bodiment. Additionally, since a message digest is trans- 
mitted to IC card terminal 200 as a verification result, it 
is possible to manage a record of which transaction the 
verification was made for 

[0214] In step S61 , the foregoing data of (1 ) through 
(4) may further be merged with another message digest 
newfy generated within IC card 300 and with the date 
and time the transaction permission was given to this 
message digest. In this case, it is possible to reduce the 
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possibility with further reliability that verification results 
are tampered with or falsified. 

[3] Other Modifications: 

5 

[0215] The second embodiment, as in the third mod- 
ification of the first embodiment, may include verification 
counter section 313 and IC card lock section 314. If bi- 
ometric feature data verifying section 306 obtains the 
comparison result a predetermined times consecutively m 
that a matching condition between the to-be-verified bi- 
ometric feature data and the valid biometric feature data 
is not satisfied, IC card lock section 314 locks IC card 
300 to prohibit the inputting of biometric feature data to 
IC card 300, thereby preventing unauthorized accessing 15 
with reliability. 

[021 6] In the foregoing embodiments, the description 
was made on the cases where a portable electronic de- 
vice is an IC card. The present invention should by no 
means be limited to the above-illustrated embodiments, 20 
and various changes or modifications may be suggest- 
ed without departing from the gist of the invention. For 
example, any other type of portable electronic device 
(optical cards, radio communication cards, and so on) 
is also applicable which has a built-in storage unit and 25 
CPU, and which has a function for performing biometric 
user verification/authentication. With such an electronic 
device, like effects and benefits to those which have al- 
ready been described above are also guaranteed. 

30 

Industrial Applicability: 

[021 7] According to the present invention, user verifi- 
cation with biometric feature data is performed on a port- 
able electronic device. If the user is judged to be the 35 
authorized user of the portable electronic device, a PIN 
is transmitted from the portable electronic device to a 
management device. In this manner, since PIN verifica- 
tion is associated with biometric user verification utiliz- 
ing biometric information, which is free of being stolen 40 
or faked, it is possible to surely prevent the leakage and 
the theft of the PIN, so that a high level of security can 
be guaranteed, thereby realizing secure user verifica- 
tion. 

[021 8] Consequently, the present invention is suitable 45 
for use in a system where a PIN should be input as ver- 
ification, such as a debit card system, and the useful- 
ness of the present invention is extremely high. 



Claims 

1 . A user verification system , comprising: 

a portable electronic device (300), which is 55 
adapted to be carried by a user; 
a data processing device (200) for directly ac- 
cessing such portable electronic device (300) 



which is temporarily installed therein; and 
a management device (400) which accesses 
said portable electronic device (300) via said 
data processing device (200) and verifies said 
user utilizing a personal identification number 
(PIN), 

said data processing device (200) including: 

a biometric information measuring unit 

(201) for measuring biometric information 
of said user; 

a biometric feature data extracting section 

(202) for extracting to-be-verified biometric 
feature data from said biometric informa- 
tion, which has been measured by biomet- 
ric information measuring unit (201); and 
a first transceiving interface (205) for trans- 
mitting/receiving data to/From said portable 
electronic device (300) and said manage- 
ment device (400), 

said portable electronic device (300) including: 

a biometric feature data register section 
(302) having pre-stored valid biometric fea- 
ture data of an authorized user of said port- 
able electronic device (300); 
a second transceiving interface (301) for 
transmitting/receiving data to/from said da- 
ta processing device (200); 
a biometric feature data verifying section 
(306) for comparing to-be-verified biomet- 
ric feature data, which is received from an 
external device via said second transceiv- 
ing interface (301 ), with said valid biometric 
feature data; and 

a PIN register section (308) having a pre- 
stored PIN of said authorized user of said 
portable electronic device (300), 

said to-be-verified biometric feature data being 
transmitted from said first transceiving inter- 
face (205) of said data processing device (200) 
to said portable electronic device (300), 
said biometric feature data verifying section 
(306) of said portable electronic device (300) 
comparing said to-be-verified biometric feature 
data, which has been received via said second 
transceiving interface (301), with said valid bi- 
ometric feature data, and 
as the result of the comparison, if said to-be- 
verified biometric feature data matches said 
valid biometric feature data in terms of a pre- 
determined matching condition, said PIN being 
transmitted from said second transceiving in- 
terface (301) of said portable electronic device 
(300) to said management device (400) via said 
first transceiving interface (205) of said data 
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processing device (200). 

2. A user verification system according to claim 1 1 

wherein said data processing device (200) 
further includes a first encryption section (204) for s 
encoding said to-be-verified biometric feature data 
with a public key, 

wherein said portable electronic device (300) 
further includes: 

10 

a secret key register section (303) having a pre- 
stored valid secret key corresponding to said 
public key; and 

a decryption section (305) for decoding encod- 
ed data, which is received from an external de- is 
vice via said second transceiving interface 
(301), with said valid secret key, 

wherein said to-be-verified biometric feature 
data encoded by said first encryption section (204) 20 
is transmitted from said first transceiving interface 
(205) to said portable electronic device (300), as 
said encoded data, and 

wherein said decryption section (305) de- 
codes said encoded data, which has been received 25 
via said second transceiving interface (301), into 
the original to-be-verified biometric feature data, 
which is then compared with said valid biometric 
feature data by said biometric feature data verifying 
section (306). 30 

3. A user verification system according to claim 1 , 
wherein said portable electronic device (300) fur- 
ther includes: 

35 

a made-for-management-device public key 
register section (311) having a pre-stored pub- 
lic key dedicated to said management device 
(400); and 

a second encryption section (305) for encoding 40 
said PIN with said made-for-management-de- 
vice public key before said PIN is sent out to 
said management device (400). 

4. A user verification system according to claim 1 , 45 

wherein said portable electronic device (300) 
further includes a recording unit provided on its sur- 
face, said recording unit storing magnetic data on 
information for use in processing carried out by said 
management device (400), 50 

wherein said data processing device (200) 
further includes a magnetic data read-out unit (206) 
for reading out said magnetic data stored in said re- 
cording unit, and 

wherein said magnetic data, which has been 55 
readout by said magnetic data read-out unit (206), 
is sent out, together with said PIN, from said first 
transceiving interface (205) to said management 



device (400). 

5. A user verification system according to claim 3, 

wherein said data processing device (200) 
further includes a time stamp generating section 
(203) for generating a time stamp as the date and 
time when said biometric feature data extracting 
section (202) has extracted said to-be-verified bio- 
metric feature data, 

wherein, said time stamp is encoded, together 
with said to-be-verified biometric feature data, by 
said first encryption section (204), and the encoded 
time stamp is then sent out from said first transceiv- 
ing interface (205) to said portable electronic device 
(300), 

wherein said portable electronic device (300) 
further includes: 

a clock function section (304) for calculatingthe 
current time; and 

a time stamp verifying section (307) for com- 
paring the original time stamp, which has been 
restored by said decryption section (305), with 
said current time, which has been calculated by 
said clock function section (304), and 

wherein, if it is found, as the comparison result 
by said biometric feature data verifying section 
(306), that said to-be-verified biometric feature data 
matches said valid biometric feature data in terms 
of a predetermined matching condition, and also if 
it is found, as the comparison result by said time 
stamp verifying section (307), that a difference be- 
tween said time stamp and said current time falls 
within a predetermined range, said user is identified 
as said authorized user of said portable electronic 
device (300). 

6. A user verification system according to daim 5, 
wherein if said user is identified as said authorized 
user of said portable electronic device (300), as the 
comparison result by said biometric feature data 
verifying section (306) and said time stamp verifying 
section (307), said second encryption section (305) 
encodes both said PIN and the date and time of the 
comparison performed, which date and time is ob- 
tained by said clock function section (304), and the 
encoded PIN and the encoded date and time of the 
comparison are then sent out from said second 
transceiving interface (301) of said portable elec- 
tronic device (300) to said management device 
(400) via said first transceiving interface (205) of 
said data processing device (200). 

7. A user verification system according to claim 1, 
wherein upon receipt of a predetermined signal via 
said second transceiving interface (301), saidport- 
able electronic device (300) transmits public key in- 
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formation of said authorized user, which public key 
information is registered in said portable electronic 
device (300), from said second transceiving inter- 
face (301) to an external device. 

8. A user verification system according to claim 1 , fur- 
ther comprising a lock function section (31 4) which 
is operable to prohibit input of biometric feature in- 
formation to said portable electronic device (300), 
if the evaluation is made a predetermined number 
of times successively, as a result of the comparison 
by said feature data verifying section (306) of said 
portable electronic device (300), that said to-be-ver- 
ified biometric feature data never matches said val- 
id biometric feature data in terms of said predeter- 
mined matching condition. 

9. A user verification system according to claim 1, 
wherein said portable electronic device (300) fur- 
ther includes a management log recording section 
(317) storing a management log of said PIN, said 
management log accumulating the dates and times 
when said PIN has been transmitted, or the descrip- 
tions of transactions performed, or both of these. 

1 0. A portable electronic device with a user verification 
function utilizing biometric information, which port- 
able electronic device receives/transmits data from/ 
to a management device (400) that uses a personal 
identification number (PIN) to verify a user, said 
portable electronic device comprising: 

a biometric feature data register section (302) 
having pre-stored valid biometric feature data 
of an authorized user of said portable electronic 
device (300); 

a transceiving interface (301) for transmitting/ 
receiving data to/from an external device; 

a biometric feature data verifying section 
(306) for comparing to-be-verified biomet- 
ric feature data, which is received from an 
external device via said transceiving inter- 
face, with said valid biometric feature data; 
and 

a PIN register section (308) having a pre- 
stored PIN of said authorized user of said 
portable electronic device (300), 

said biometric feature data verifying section 
(306) comparing said to-be-verified biometric 
feature data, which has been received via said 
transceiving interface (301), with said valid bi- 
ometric feature data, and 
as the result of the comparison, if said to-be- 
verified biometric feature data matches said 
valid biometric feature data in terms of a pre- 
determined matching condition, said PIN being 
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transmitted from said transceiving interface 
(301) to said management device (400). 

1 1 . A portable electronic device according to claim 10, 
further comprising: 

a secret key register section (303) having a pre- 
stored valid secret key corresponding to said 
public key; and 

a decryption section (305) for decoding encod- 
ed data, which is received from an external de- 
vice via said second transceiving interface 
(301 ), with said valid secret key, 

said decryption section (305) decoding 
said encoded data, which has been re- 
ceived via said transceiving interface 
(301), into the original to-be-verified bio- 
metric feature data, and 
said biometric feature data verifying sec- 
tion (306) comparing the original to-be-ver- 
ified biometric feature data, which has 
been restored by said decryption section 
(305), with said vatid biometric feature da- 
ta. 

12. A portable electronic device according to claim 10, 
further comprising: 

a made-for-management-device public key 
register section (311) having a pre-stored pub- 
lic key dedicated to said management device 
(400); and 

an encryption section (305) for encoding said 
PIN with said made-for-management-device 
public key before said PIN is sent out to said 
management device (400). 

13. A portable electronic device according to claim 10, 
further comprising a recording unit provided on its 
surface, said recording unit storing magnetic data 
on information for use in processing which is earned 
out by said management device (400). 

14. A portable electronic device according to claim 12, 
further comprising: 

a clock function section (304) for calculating the 
current time; and 

a time stamp verifying section (307) for 
comparing a time stamp, if any, attached to 
the original to-be-verified biometric feature 
data restored by said decryption section 
(305), with said current time, which has 
been calculated by said clock function sec- 
tion (304), said time stamp indicating the 
date and time when said to-be-verified bi- 
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ometric feature data has been extracted, 

if it is found, as the comparison result by said 
biometric feature data verifying section (306), 
that said to-be-verified biometric feature data s 
matches said valid biometric feature data in 
terms of a predetermined matching condition, 
and also if it is found, as the comparison result 
by said time stamp verifying section (307), that 
a difference between said time stamp and said 10 
current time falls within a predetermined range, 
said user being identified as said authorized us- 
er of said portable electronic device (300). 

1 5. A portable electronic device according to claim 1 4, « 
wherein if said user is identified as said authorized 
user of said portable electronic device (300), as the 
comparison result by said biometric feature data 
verifying section (306) and said time stamp verifying 
section (307), said encryption section (305) en- 20 
codes both said PIN and the date and time of the 
comparison performed, which date and time is ob- 
tained by said clock function section (304), and the 
encoded PIN and the encoded date and time of the 
comparison are then sent out from said transceiving 25 
interface (301) to said management device (400). 

16. A portable electronic device according to claim 1 0, 
wherein upon receipt of a predetermined signal via 
said transceiving interface (301 ), said portable elec- 30 
tronic device (300) transmits public key information 

of said authorized user, which public key informa- 
tion is registered in said portable electronic device 
(300), from said transceiving interface (301) to an 
external device. 35 

17. A portable electronic device according to claim 1 0, 
further comprising a lock function section (314) 
which is operable to prohibit input of biometric fea- 
ture information to said portable electronic device 40 
(300), if the evaluation is made a predetermined 
number of times successively, as a result of the 
comparison by said feature data verifying section 
(306), that said to-be-verified biometric feature data 
never matches said valid biometric feature data in 45 
terms of said predetermined matching condition. 

18. A portable electronic device according to claim 1 0, 
further comprising a management log recording 
section (31 7) storing a management log of said PIN, so 
said management log accumulating the dates and 
times when said PIN has been transmitted, or de- 
scriptions of transactions performed, or both of 
these. 

55 

19. A user verification system, comprising: 

a portable electronic device (300), which is 



adapted to be carried by a user; and 
a data processing device (200) for directly ac- 
cessing such portable electronic device (300) 
which is temporarily installed therein, 
said data processing device (200) including: 

a biometric information measuring unit 

(201) for measuring biometric information 
of said user; 

a biometric feature data extracting section 

(202) for extracting to-be-verified biometric 
feature data from said biometric informa- 
tion, which has been measured by biomet- 
ric information measuring unit (201); 

a first encryption section (204) for encoding 
said to-be-verified biometric feature data 
with a public key; and 
a first transceiving interface (205) for trans- 
mitting/receiving data to/from said portable 
electronic device (300), 

said portable electronic device (300) including: 

a biometric feature data register section 
(302) having pre-stored valid biometric fea- 
ture data of an authorized user of said port- 
able electronic device (300) ; 
a second transceiving interface (301) for 
transmitting/receiving data to/from said da- 
ta processing device (200); 
a biometric feature data verifying section 
(306) for comparing to-be-verified biomet- 
ric feature data, which is received from an 
external device via said second transceiv- 
ing interface (301 ), with said valid biometric 
feature data; 

a secret key register section (303) having 
a pre-stored valid secret key correspond- 
ing to said public key; and 
a decryption section (305) for decoding en- 
coded data, which has been encoded with 
said public key, with said valid secret key, 

the encoded to-be-verified biometric feature 
data, which has been encoded by said first en- 
cryption section (204), being transmitted from 
said first transceiving interface (205) to said 
portable electronic device (300), 
said decryption section (305) decoding said en- 
coded data, which has been received via said 
second transceiving interface (301), into the 
original to-be-verified biometric feature data, 
and 

said biometric feature data verifying section 
(306) comparing the original to-be-verified bio- 
metric feature data with said valid biometric 
feature data. 



27 



53 



EP 1 237 091 A1 



54 



20. A user verification system according to claim 19, 

wherein said data processing device (200) 
further includes a time stamp generating section 
(203) for generating a time stamp as the date and 
time when said biometric feature data extracting 
section (202) has extracted said to-be-verified bio- 
metric feature data, 

wherein, said time stamp is encoded, together 
with said to-be-verified biometric feature data, by 
said first encryption section (204), and the encoded 
time stamp is then sent out from said first transcefv- 
ing interface (205) to said portable electronic device 
(300), 

wherein said portable electronic device (300) 
further includes: 

a clock function section (304) for calculating the 
current time; and 

a time stamp verifying section (307) for com- 
paring the original time stamp, which has been 
restored by said decryption section (305), with 
said current time, which has been calculated by 
said clock function section (304), and 

wherein, if it is found, as the comparison result 
by said biometric feature data verifying section 
(306), that said to-be-verified biometric feature data 
matches said valid biometric feature data in terms 
of a predetermined matching condition, and also if 
it is found, as the comparison result by said time 
stamp verifying section (307), that a difference be- 
tween said time stamp and said current time falls 
within a predetermined range, said user is identified 
as said authorized user of said portable electronic 
device (300). 

21. A user verification system according to claim 20, 

wherein said portable electronic device (300) 
further includes: 

a user information register section (309) having 
pre-stored user information about said author- 
ized user of said portable electronic device 
(300); and 

a second encryption section (305) for encoding 
data, which is to be transmitted from said sec- 
ond transceiving interface (301) to said data 
processing device (200), with said valid secret 
key, and 

wherein as a result of comparison by said bi- 
ometric feature data verifying section (306) and said 
time stamp verifying section (307), if said user is 
identified as said authorized user of said portable 
electronic device (300), said second encryption 
section (305) encodes at least one of the following 
items: said user information; the level of correlation 
between said to-be-verified biometric feature data 



and said valid biometric feature data, which corre- 
lation level is obtained at the comparison; and the 
date and time of said comparison performed, which 
is provided by said clock function section (304), and 
s the encoded item is sent out from said second trans- 
ceiving interface (301) to said data processing de- 
vice (200) as a verification result. 

22. A user verification system according to claim 21 , 
10 wherein said data processing section (200) 

further includes a message digest creating section 
(208) for creating a message digest as a value ob- 
tained by inputting data to be transferred to said 
portable electronic device (300) to a predetermined 

is one-way function, 

wherein said message digest and said to-be- 
verified biometric feature data are both encoded by 
said first encryption section (204), and are then sent 
out from said first transceiving interface (205) to 

20 said portable electronic device (300), 

wherein if said user is identified as said au- 
thorized user of said portable electronic device 
(300), as the comparison result by said biometric 
feature data verifying section (306) and said time 

25 stamp verifying section (307), said second encryp- 
tion section (305) encodes the message digest 
which has been restored by said decryption section 
(305), and the encoded message digest is sent out 
from said second transceiving interface (301) to 

30 said data processing device (200), as a verification 
result. 

23. A user verification system according to claim 21 , 
wherein said portable electronic device (300) fur- 

35 ther includes a verification log recording section 
(310) storing said verification result as a verification 
log for a predetermined time period. 

24. A user verification system according to claim 19, 
40 wherein upon receipt of a predetermined signal via 

said second transceiving interface (301), said port- 
able electronic device (300) transmits public key in- 
formation of said authorized user, which public key 
information is registered in said portable electronic 
45 device (300), from said second transceiving inter- 
face (301) to an external device. 

25. A user verification system according to claim 19, 
further comprising a lock function section (314) 

so which is operable to prohibit input of biometric fea- 
ture information to said portable electronic device 
(300), if the evaluation is made a predetermined 
number of times successively, as a result of the 
comparison by said feature data verifying section 
55 (306) of said portable electronic device (300), that 
said to-be-verified biometric feature data never 
matches said valid biometric feature data in terms 
of said predetermined matching condition. 
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26. A portable electronic device with a user verification 
function utilizing biometric information, said porta- 
ble electronic device, comprising: 

a biometric feature data register section (302) 5 
having pre-stored valid biometric feature data 
of an authorized user of said portable electronic 
device (300); 

a transceiving interface (301 ) for transmit- ' 0 
ting/receiving data to/from an external de- 
vice; 

a biometric feature data verifying section 
(306) for comparing to-be-verified biomet- 
ric feature data, which is received from an 15 
external device via said transceiving inter- 
face (301 ), with said valid biometric feature 
data; 

a secret key register section (303) having 
a pre-stored valid secret key correspond- 20 
ing to said public key; and 
a decryption section (305) for decoding en- 
coded data, which has been encoded with 
said public key, with said valid secret key, 

25 

said decryption section (305) decoding said en- 
coded data, which has been received via said 
transceiving interface (301 ), into the original to- 
be-verified biometric feature data, and 
said biometric feature data verifying section 30 
(306) comparing the original to-be-verified bio- 
metric feature data with said valid biometric 
feature data. 

27. A portable electronic device according to claim 26, 35 
further comprising: 

a clock function section (304) for calculating the 
current time; and 

40 

a time stamp verifying section (307) for 
comparing a time stamp, if any, attached to 
the original to-be-verified biometric feature 
data restored by said decryption section 
(305), with said current time, which has 45 
been calculated by said clock function sec- 
tion (304), said time stamp indicating the 
date and time when said to-be-verified bi- 
ometric feature data has been extracted, 

50 

if it is found, as the comparison result by said 
biometric feature data verifying section (306), 
that saidto-be-verifled biometric feature data 
matches said valid biometric feature data in 
terms of a predetermined matching condition, 55 
and also if it is found, as the comparison result 
by said time stamp verifying section (307), that 
a difference between said time stamp and said 



current time falls within a predetermined range, 
said user being identified as said authorized us- 
er of said portable electronic device (300). 

28. A portable electronic device according to claim 27, 
further comprising: 

a user information register section (309) having 
pre-stored user information about said author- 
ized user of said portable electronic device 
(300); and 

an encryption section (305) for encoding data, 
which is to be transmitted from said transceiv- 
ing interface (301) to said data processing de- 
vice (200), with said valid secret key, 
as a result of comparison by said biometric fea- 
ture data verifying section (306) and said time 
stamp verifying section (307), if said user is 
identified as said authorized user of said port- 
able electronic device (300), said encryption 
section (305) encoding at least one of the fol- 
lowing items: said user information; the level of 
correlation between said to-be-verified biomet- 
ric feature data and said valid biometric feature 
data, which correlation level is obtained at the 
comparison; and the date and time of said com- 
parison performed, which is provided by said 
clock function section (304), and the encoded 
item being sent out from said transceiving in- 
terface (301) to said data processing device 
(200) as a verification result. 

29. A portable electronic device according to claim 28, 
wherein if said user is identified as said authorized 
user of said portable electronic device (300), as the 
comparison result by said biometric feature data 
verifying section (306) and said time stamp verifying 
section (307), and also if a message digest, which 
is obtained by inputting data to be transferred to 
said portable electronic device (300) to a predeter- 
mined one-way function, is attached to the original 
to-be-verified biometric feature data restored by 
said decryption section (305), said encoding sec- 
tion (305) encodes said message digest, and the 
encoded message digest is then sent out from said 
transceiving interface (301 ) to said data processing 
device (200) as a verification result. 

30. A portable electronic device according to claim 28, 
further including a verification log recording section 
(310) storing said verification results as a verifica- 
tion log for a predetermined time period. 

31 . A portable electronic device according to claim 26, 
wherein upon receipt of a predetermined signal via 
said transceiving interface (301 ), said portable elec- 
tronic device (300) transmits public key information 
of said authorized user, which public key informa- 
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tion is registered in said portable electronic device 
(300), from said transceiving interface (301) to an 
external device. 

32. A portable electronic device according to claim 26, s 
further comprising a lock function section (314) 
which is operable to prohibit input of biometric fea- 
ture information to said portable electronic device 
(300), if the evaluation is made a predetermined 
number of times successively, as the result of the 10 
comparison by said feature data verifying section 
(306), that said to-be-verified biometric feature data 
never matches said valid biometric feature data in 
terms of said predetermined matching condition. 
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